emo/shadow
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity
7668f77439
shadow/libmisc/agetpass.c

131 lines
3.1 KiB
C
Raw Normal View History

libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely There are several issues with getpass(3). Many implementations of it share the same issues that the infamous gets(3). In glibc it's not so terrible, since it's a wrapper around getline(3). But it still has an important bug: If the password is long enough, getline(3) will realloc(3) memory, and prefixes of the password will be laying around in some deallocated memory. See the getpass(3) manual page for more details, and especially the commit that marked it as deprecated, which links to a long discussion in the linux-man@ mailing list. So, readpassphrase(3bsd) is preferrable, which is provided by libbsd on GNU systems. However, using readpassphrase(3) directly is a bit verbose, so we can write our own wrapper with a simpler interface similar to that of getpass(3). One of the benefits of writing our own interface around readpassphrase(3) is that we can hide there any checks that should be done always and which would be error-prone to repeat every time. For example, check that there was no truncation in the password. Also, use malloc(3) to get the buffer, instead of using a global buffer. We're not using a multithreaded program (and it wouldn't make sense to do so), but it's nice to know that the visibility of our passwords is as limited as possible. erase_pass() is a clean-up function that handles all clean-up correctly, including zeroing the entire buffer, and then free(3)ing the memory. By using [[gnu::malloc(erase_pass)]], we make sure that we don't leak the buffers in any case, since the compiler will be able to enforce clean up. Link: <https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit?id=7ca189099d73bde954eed2d7fc21732bcc8ddc6b> Reported-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-09-27 01:52:24 +05:30
/*
agetpass.c: Use SPDX tags Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-01-30 02:14:17 +05:30
* SPDX-FileCopyrightText: 2022, Alejandro Colomar <alx@kernel.org>
libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely There are several issues with getpass(3). Many implementations of it share the same issues that the infamous gets(3). In glibc it's not so terrible, since it's a wrapper around getline(3). But it still has an important bug: If the password is long enough, getline(3) will realloc(3) memory, and prefixes of the password will be laying around in some deallocated memory. See the getpass(3) manual page for more details, and especially the commit that marked it as deprecated, which links to a long discussion in the linux-man@ mailing list. So, readpassphrase(3bsd) is preferrable, which is provided by libbsd on GNU systems. However, using readpassphrase(3) directly is a bit verbose, so we can write our own wrapper with a simpler interface similar to that of getpass(3). One of the benefits of writing our own interface around readpassphrase(3) is that we can hide there any checks that should be done always and which would be error-prone to repeat every time. For example, check that there was no truncation in the password. Also, use malloc(3) to get the buffer, instead of using a global buffer. We're not using a multithreaded program (and it wouldn't make sense to do so), but it's nice to know that the visibility of our passwords is as limited as possible. erase_pass() is a clean-up function that handles all clean-up correctly, including zeroing the entire buffer, and then free(3)ing the memory. By using [[gnu::malloc(erase_pass)]], we make sure that we don't leak the buffers in any case, since the compiler will be able to enforce clean up. Link: <https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit?id=7ca189099d73bde954eed2d7fc21732bcc8ddc6b> Reported-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-09-27 01:52:24 +05:30
*
agetpass.c: Use SPDX tags Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-01-30 02:14:17 +05:30
* SPDX-License-Identifier: BSD-3-Clause
libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely There are several issues with getpass(3). Many implementations of it share the same issues that the infamous gets(3). In glibc it's not so terrible, since it's a wrapper around getline(3). But it still has an important bug: If the password is long enough, getline(3) will realloc(3) memory, and prefixes of the password will be laying around in some deallocated memory. See the getpass(3) manual page for more details, and especially the commit that marked it as deprecated, which links to a long discussion in the linux-man@ mailing list. So, readpassphrase(3bsd) is preferrable, which is provided by libbsd on GNU systems. However, using readpassphrase(3) directly is a bit verbose, so we can write our own wrapper with a simpler interface similar to that of getpass(3). One of the benefits of writing our own interface around readpassphrase(3) is that we can hide there any checks that should be done always and which would be error-prone to repeat every time. For example, check that there was no truncation in the password. Also, use malloc(3) to get the buffer, instead of using a global buffer. We're not using a multithreaded program (and it wouldn't make sense to do so), but it's nice to know that the visibility of our passwords is as limited as possible. erase_pass() is a clean-up function that handles all clean-up correctly, including zeroing the entire buffer, and then free(3)ing the memory. By using [[gnu::malloc(erase_pass)]], we make sure that we don't leak the buffers in any case, since the compiler will be able to enforce clean up. Link: <https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit?id=7ca189099d73bde954eed2d7fc21732bcc8ddc6b> Reported-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-09-27 01:52:24 +05:30
*/
agetpass.c: Use SPDX tags Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-01-30 02:14:17 +05:30
agetpass: Hook into build-system Signed-off-by: Guillem Jover <guillem@hadrons.org> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-11-21 18:30:13 +05:30
#include <config.h>
libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely There are several issues with getpass(3). Many implementations of it share the same issues that the infamous gets(3). In glibc it's not so terrible, since it's a wrapper around getline(3). But it still has an important bug: If the password is long enough, getline(3) will realloc(3) memory, and prefixes of the password will be laying around in some deallocated memory. See the getpass(3) manual page for more details, and especially the commit that marked it as deprecated, which links to a long discussion in the linux-man@ mailing list. So, readpassphrase(3bsd) is preferrable, which is provided by libbsd on GNU systems. However, using readpassphrase(3) directly is a bit verbose, so we can write our own wrapper with a simpler interface similar to that of getpass(3). One of the benefits of writing our own interface around readpassphrase(3) is that we can hide there any checks that should be done always and which would be error-prone to repeat every time. For example, check that there was no truncation in the password. Also, use malloc(3) to get the buffer, instead of using a global buffer. We're not using a multithreaded program (and it wouldn't make sense to do so), but it's nice to know that the visibility of our passwords is as limited as possible. erase_pass() is a clean-up function that handles all clean-up correctly, including zeroing the entire buffer, and then free(3)ing the memory. By using [[gnu::malloc(erase_pass)]], we make sure that we don't leak the buffers in any case, since the compiler will be able to enforce clean up. Link: <https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit?id=7ca189099d73bde954eed2d7fc21732bcc8ddc6b> Reported-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-09-27 01:52:24 +05:30
#include <limits.h>
#include <readpassphrase.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ident "$Id$"
Use safer allocation macros Use of these macros, apart from the benefits mentioned in the commit that adds the macros, has some other good side effects: - Consistency in getting the size of the object from sizeof(type), instead of a mix of sizeof(type) sometimes and sizeof(*p) other times. - More readable code: no casts, and no sizeof(), so also shorter lines that we don't need to cut. - Consistency in using array allocation calls for allocations of arrays of objects, even when the object size is 1. Cc: Valentin V. Bartenev <vbartenev@gmail.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-02-05 03:11:18 +05:30
#include "alloc.h"
libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely There are several issues with getpass(3). Many implementations of it share the same issues that the infamous gets(3). In glibc it's not so terrible, since it's a wrapper around getline(3). But it still has an important bug: If the password is long enough, getline(3) will realloc(3) memory, and prefixes of the password will be laying around in some deallocated memory. See the getpass(3) manual page for more details, and especially the commit that marked it as deprecated, which links to a long discussion in the linux-man@ mailing list. So, readpassphrase(3bsd) is preferrable, which is provided by libbsd on GNU systems. However, using readpassphrase(3) directly is a bit verbose, so we can write our own wrapper with a simpler interface similar to that of getpass(3). One of the benefits of writing our own interface around readpassphrase(3) is that we can hide there any checks that should be done always and which would be error-prone to repeat every time. For example, check that there was no truncation in the password. Also, use malloc(3) to get the buffer, instead of using a global buffer. We're not using a multithreaded program (and it wouldn't make sense to do so), but it's nice to know that the visibility of our passwords is as limited as possible. erase_pass() is a clean-up function that handles all clean-up correctly, including zeroing the entire buffer, and then free(3)ing the memory. By using [[gnu::malloc(erase_pass)]], we make sure that we don't leak the buffers in any case, since the compiler will be able to enforce clean up. Link: <https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit?id=7ca189099d73bde954eed2d7fc21732bcc8ddc6b> Reported-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-09-27 01:52:24 +05:30
#include "prototypes.h"
#if !defined(PASS_MAX)
libmisc: agetpass(): Fix bug detecting truncation On 2/19/23 18:09, David Mudrich wrote: > I am working on a RAM based Linux OS from source, and try to use > latest versions of all software. I found shadow needs libbsd's > readpassphrase(3) as superior alternative to getpass(3). While > considering if I a) include libbsd, or include libbsd's code of > readpassphrase(3) into shadow, found, that libbsd's readpassphrase(3) > never returns \n or \r > <https://cgit.freedesktop.org/libbsd/tree/src/readpassphrase.c> > line 122, while agetpass() uses a check for \n in agetpass.c line 108. > I assume it always fails. Indeed, it always failed. I made a mistake when writing agetpass(), assuming that readpassphrase(3) would keep newlines. > > I propose a check of len == PASS_MAX - 1, with false positive error for > exactly PASS_MAX - 1 long passwords. Instead, I added an extra byte to the allocation to allow a maximum password length of PASS_MAX (which is the maximum for getpass(3), which we're replacing. While doing that, I notice that my previous implementation also had another bug (minor): The maximum password length was PASS_MAX - 1 instead of PASS_MAX. That's also fixed in this commit. Reported-by: David Mudrich <dmudrich@gmx.de> Fixes: 155c9421b935 ("libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely") Cc: Iker Pedrosa <ipedrosa@redhat.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-02-19 23:56:56 +05:30
#define PASS_MAX BUFSIZ - 1
libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely There are several issues with getpass(3). Many implementations of it share the same issues that the infamous gets(3). In glibc it's not so terrible, since it's a wrapper around getline(3). But it still has an important bug: If the password is long enough, getline(3) will realloc(3) memory, and prefixes of the password will be laying around in some deallocated memory. See the getpass(3) manual page for more details, and especially the commit that marked it as deprecated, which links to a long discussion in the linux-man@ mailing list. So, readpassphrase(3bsd) is preferrable, which is provided by libbsd on GNU systems. However, using readpassphrase(3) directly is a bit verbose, so we can write our own wrapper with a simpler interface similar to that of getpass(3). One of the benefits of writing our own interface around readpassphrase(3) is that we can hide there any checks that should be done always and which would be error-prone to repeat every time. For example, check that there was no truncation in the password. Also, use malloc(3) to get the buffer, instead of using a global buffer. We're not using a multithreaded program (and it wouldn't make sense to do so), but it's nice to know that the visibility of our passwords is as limited as possible. erase_pass() is a clean-up function that handles all clean-up correctly, including zeroing the entire buffer, and then free(3)ing the memory. By using [[gnu::malloc(erase_pass)]], we make sure that we don't leak the buffers in any case, since the compiler will be able to enforce clean up. Link: <https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit?id=7ca189099d73bde954eed2d7fc21732bcc8ddc6b> Reported-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-09-27 01:52:24 +05:30
#endif
/*
* SYNOPSIS
* [[gnu::malloc(erase_pass)]]
* char *agetpass(const char *prompt);
*
* void erase_pass(char *pass);
*
* ARGUMENTS
* agetpass()
* prompt String to be printed before reading a password.
*
* erase_pass()
* pass password previously returned by agetpass().
*
* DESCRIPTION
* agetpass()
* This function is very similar to getpass(3). It has several
* advantages compared to getpass(3):
*
* - Instead of using a static buffer, agetpass() allocates memory
* through malloc(3). This makes the function thread-safe, and
* also reduces the visibility of the buffer.
*
Use safer allocation macros Use of these macros, apart from the benefits mentioned in the commit that adds the macros, has some other good side effects: - Consistency in getting the size of the object from sizeof(type), instead of a mix of sizeof(type) sometimes and sizeof(*p) other times. - More readable code: no casts, and no sizeof(), so also shorter lines that we don't need to cut. - Consistency in using array allocation calls for allocations of arrays of objects, even when the object size is 1. Cc: Valentin V. Bartenev <vbartenev@gmail.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-02-05 03:11:18 +05:30
* - agetpass() doesn't reallocate internally. Some
libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely There are several issues with getpass(3). Many implementations of it share the same issues that the infamous gets(3). In glibc it's not so terrible, since it's a wrapper around getline(3). But it still has an important bug: If the password is long enough, getline(3) will realloc(3) memory, and prefixes of the password will be laying around in some deallocated memory. See the getpass(3) manual page for more details, and especially the commit that marked it as deprecated, which links to a long discussion in the linux-man@ mailing list. So, readpassphrase(3bsd) is preferrable, which is provided by libbsd on GNU systems. However, using readpassphrase(3) directly is a bit verbose, so we can write our own wrapper with a simpler interface similar to that of getpass(3). One of the benefits of writing our own interface around readpassphrase(3) is that we can hide there any checks that should be done always and which would be error-prone to repeat every time. For example, check that there was no truncation in the password. Also, use malloc(3) to get the buffer, instead of using a global buffer. We're not using a multithreaded program (and it wouldn't make sense to do so), but it's nice to know that the visibility of our passwords is as limited as possible. erase_pass() is a clean-up function that handles all clean-up correctly, including zeroing the entire buffer, and then free(3)ing the memory. By using [[gnu::malloc(erase_pass)]], we make sure that we don't leak the buffers in any case, since the compiler will be able to enforce clean up. Link: <https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit?id=7ca189099d73bde954eed2d7fc21732bcc8ddc6b> Reported-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-09-27 01:52:24 +05:30
* implementations of getpass(3), such as glibc, do that, as a
* consequence of calling getline(3). That's a bug in glibc,
* which allows leaking prefixes of passwords in freed memory.
*
* - agetpass() doesn't overrun the output buffer. If the input
* password is too long, it simply fails. Some implementations
* of getpass(3), share the same bug that gets(3) has.
*
* As soon as possible, the password obtained from agetpass() be
* erased by calling erase_pass(), to avoid possibly leaking the
* password.
*
* erase_pass()
* This function first clears the password, by calling
* explicit_bzero(3) (or an equivalent call), and then frees the
* allocated memory by calling free(3).
*
* NULL is a valid input pointer, and in such a case, this call is
* a no-op.
*
* RETURN VALUE
* agetpass() returns a newly allocated buffer containing the
* password on success. On error, errno is set to indicate the
* error, and NULL is returned.
*
* ERRORS
* agetpass()
* This function may fail for any errors that malloc(3) or
* readpassphrase(3) may fail, and in addition it may fail for the
* following errors:
*
* ENOBUFS
* The input password was longer than PASS_MAX.
*
* CAVEATS
* If a password is passed twice to erase_pass(), the behavior is
* undefined.
*/
char *
agetpass(const char *prompt)
{
char *pass;
size_t len;
libmisc: agetpass(): Fix bug detecting truncation On 2/19/23 18:09, David Mudrich wrote: > I am working on a RAM based Linux OS from source, and try to use > latest versions of all software. I found shadow needs libbsd's > readpassphrase(3) as superior alternative to getpass(3). While > considering if I a) include libbsd, or include libbsd's code of > readpassphrase(3) into shadow, found, that libbsd's readpassphrase(3) > never returns \n or \r > <https://cgit.freedesktop.org/libbsd/tree/src/readpassphrase.c> > line 122, while agetpass() uses a check for \n in agetpass.c line 108. > I assume it always fails. Indeed, it always failed. I made a mistake when writing agetpass(), assuming that readpassphrase(3) would keep newlines. > > I propose a check of len == PASS_MAX - 1, with false positive error for > exactly PASS_MAX - 1 long passwords. Instead, I added an extra byte to the allocation to allow a maximum password length of PASS_MAX (which is the maximum for getpass(3), which we're replacing. While doing that, I notice that my previous implementation also had another bug (minor): The maximum password length was PASS_MAX - 1 instead of PASS_MAX. That's also fixed in this commit. Reported-by: David Mudrich <dmudrich@gmx.de> Fixes: 155c9421b935 ("libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely") Cc: Iker Pedrosa <ipedrosa@redhat.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-02-19 23:56:56 +05:30
/*
* Since we want to support passwords upto PASS_MAX, we need
* PASS_MAX bytes for the password itself, and one more byte for
* the terminating '\0'. We also want to detect truncation, and
* readpassphrase(3) doesn't detect it, so we need some trick.
* Let's add one more byte, and if the password uses it, it
* means the introduced password was longer than PASS_MAX.
*/
Use safer allocation macros Use of these macros, apart from the benefits mentioned in the commit that adds the macros, has some other good side effects: - Consistency in getting the size of the object from sizeof(type), instead of a mix of sizeof(type) sometimes and sizeof(*p) other times. - More readable code: no casts, and no sizeof(), so also shorter lines that we don't need to cut. - Consistency in using array allocation calls for allocations of arrays of objects, even when the object size is 1. Cc: Valentin V. Bartenev <vbartenev@gmail.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-02-05 03:11:18 +05:30
pass = MALLOCARRAY(PASS_MAX + 2, char);
libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely There are several issues with getpass(3). Many implementations of it share the same issues that the infamous gets(3). In glibc it's not so terrible, since it's a wrapper around getline(3). But it still has an important bug: If the password is long enough, getline(3) will realloc(3) memory, and prefixes of the password will be laying around in some deallocated memory. See the getpass(3) manual page for more details, and especially the commit that marked it as deprecated, which links to a long discussion in the linux-man@ mailing list. So, readpassphrase(3bsd) is preferrable, which is provided by libbsd on GNU systems. However, using readpassphrase(3) directly is a bit verbose, so we can write our own wrapper with a simpler interface similar to that of getpass(3). One of the benefits of writing our own interface around readpassphrase(3) is that we can hide there any checks that should be done always and which would be error-prone to repeat every time. For example, check that there was no truncation in the password. Also, use malloc(3) to get the buffer, instead of using a global buffer. We're not using a multithreaded program (and it wouldn't make sense to do so), but it's nice to know that the visibility of our passwords is as limited as possible. erase_pass() is a clean-up function that handles all clean-up correctly, including zeroing the entire buffer, and then free(3)ing the memory. By using [[gnu::malloc(erase_pass)]], we make sure that we don't leak the buffers in any case, since the compiler will be able to enforce clean up. Link: <https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit?id=7ca189099d73bde954eed2d7fc21732bcc8ddc6b> Reported-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-09-27 01:52:24 +05:30
if (pass == NULL)
return NULL;
libmisc: agetpass(): Fix bug detecting truncation On 2/19/23 18:09, David Mudrich wrote: > I am working on a RAM based Linux OS from source, and try to use > latest versions of all software. I found shadow needs libbsd's > readpassphrase(3) as superior alternative to getpass(3). While > considering if I a) include libbsd, or include libbsd's code of > readpassphrase(3) into shadow, found, that libbsd's readpassphrase(3) > never returns \n or \r > <https://cgit.freedesktop.org/libbsd/tree/src/readpassphrase.c> > line 122, while agetpass() uses a check for \n in agetpass.c line 108. > I assume it always fails. Indeed, it always failed. I made a mistake when writing agetpass(), assuming that readpassphrase(3) would keep newlines. > > I propose a check of len == PASS_MAX - 1, with false positive error for > exactly PASS_MAX - 1 long passwords. Instead, I added an extra byte to the allocation to allow a maximum password length of PASS_MAX (which is the maximum for getpass(3), which we're replacing. While doing that, I notice that my previous implementation also had another bug (minor): The maximum password length was PASS_MAX - 1 instead of PASS_MAX. That's also fixed in this commit. Reported-by: David Mudrich <dmudrich@gmx.de> Fixes: 155c9421b935 ("libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely") Cc: Iker Pedrosa <ipedrosa@redhat.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-02-19 23:56:56 +05:30
if (readpassphrase(prompt, pass, PASS_MAX + 2, RPP_REQUIRE_TTY) == NULL)
libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely There are several issues with getpass(3). Many implementations of it share the same issues that the infamous gets(3). In glibc it's not so terrible, since it's a wrapper around getline(3). But it still has an important bug: If the password is long enough, getline(3) will realloc(3) memory, and prefixes of the password will be laying around in some deallocated memory. See the getpass(3) manual page for more details, and especially the commit that marked it as deprecated, which links to a long discussion in the linux-man@ mailing list. So, readpassphrase(3bsd) is preferrable, which is provided by libbsd on GNU systems. However, using readpassphrase(3) directly is a bit verbose, so we can write our own wrapper with a simpler interface similar to that of getpass(3). One of the benefits of writing our own interface around readpassphrase(3) is that we can hide there any checks that should be done always and which would be error-prone to repeat every time. For example, check that there was no truncation in the password. Also, use malloc(3) to get the buffer, instead of using a global buffer. We're not using a multithreaded program (and it wouldn't make sense to do so), but it's nice to know that the visibility of our passwords is as limited as possible. erase_pass() is a clean-up function that handles all clean-up correctly, including zeroing the entire buffer, and then free(3)ing the memory. By using [[gnu::malloc(erase_pass)]], we make sure that we don't leak the buffers in any case, since the compiler will be able to enforce clean up. Link: <https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit?id=7ca189099d73bde954eed2d7fc21732bcc8ddc6b> Reported-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-09-27 01:52:24 +05:30
goto fail;
len = strlen(pass);
libmisc: agetpass(): Fix bug detecting truncation On 2/19/23 18:09, David Mudrich wrote: > I am working on a RAM based Linux OS from source, and try to use > latest versions of all software. I found shadow needs libbsd's > readpassphrase(3) as superior alternative to getpass(3). While > considering if I a) include libbsd, or include libbsd's code of > readpassphrase(3) into shadow, found, that libbsd's readpassphrase(3) > never returns \n or \r > <https://cgit.freedesktop.org/libbsd/tree/src/readpassphrase.c> > line 122, while agetpass() uses a check for \n in agetpass.c line 108. > I assume it always fails. Indeed, it always failed. I made a mistake when writing agetpass(), assuming that readpassphrase(3) would keep newlines. > > I propose a check of len == PASS_MAX - 1, with false positive error for > exactly PASS_MAX - 1 long passwords. Instead, I added an extra byte to the allocation to allow a maximum password length of PASS_MAX (which is the maximum for getpass(3), which we're replacing. While doing that, I notice that my previous implementation also had another bug (minor): The maximum password length was PASS_MAX - 1 instead of PASS_MAX. That's also fixed in this commit. Reported-by: David Mudrich <dmudrich@gmx.de> Fixes: 155c9421b935 ("libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely") Cc: Iker Pedrosa <ipedrosa@redhat.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-02-19 23:56:56 +05:30
if (len == PASS_MAX + 1) {
libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely There are several issues with getpass(3). Many implementations of it share the same issues that the infamous gets(3). In glibc it's not so terrible, since it's a wrapper around getline(3). But it still has an important bug: If the password is long enough, getline(3) will realloc(3) memory, and prefixes of the password will be laying around in some deallocated memory. See the getpass(3) manual page for more details, and especially the commit that marked it as deprecated, which links to a long discussion in the linux-man@ mailing list. So, readpassphrase(3bsd) is preferrable, which is provided by libbsd on GNU systems. However, using readpassphrase(3) directly is a bit verbose, so we can write our own wrapper with a simpler interface similar to that of getpass(3). One of the benefits of writing our own interface around readpassphrase(3) is that we can hide there any checks that should be done always and which would be error-prone to repeat every time. For example, check that there was no truncation in the password. Also, use malloc(3) to get the buffer, instead of using a global buffer. We're not using a multithreaded program (and it wouldn't make sense to do so), but it's nice to know that the visibility of our passwords is as limited as possible. erase_pass() is a clean-up function that handles all clean-up correctly, including zeroing the entire buffer, and then free(3)ing the memory. By using [[gnu::malloc(erase_pass)]], we make sure that we don't leak the buffers in any case, since the compiler will be able to enforce clean up. Link: <https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit?id=7ca189099d73bde954eed2d7fc21732bcc8ddc6b> Reported-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-09-27 01:52:24 +05:30
errno = ENOBUFS;
goto fail;
}
return pass;
fail:
libmisc: agetpass(): Fix bug detecting truncation On 2/19/23 18:09, David Mudrich wrote: > I am working on a RAM based Linux OS from source, and try to use > latest versions of all software. I found shadow needs libbsd's > readpassphrase(3) as superior alternative to getpass(3). While > considering if I a) include libbsd, or include libbsd's code of > readpassphrase(3) into shadow, found, that libbsd's readpassphrase(3) > never returns \n or \r > <https://cgit.freedesktop.org/libbsd/tree/src/readpassphrase.c> > line 122, while agetpass() uses a check for \n in agetpass.c line 108. > I assume it always fails. Indeed, it always failed. I made a mistake when writing agetpass(), assuming that readpassphrase(3) would keep newlines. > > I propose a check of len == PASS_MAX - 1, with false positive error for > exactly PASS_MAX - 1 long passwords. Instead, I added an extra byte to the allocation to allow a maximum password length of PASS_MAX (which is the maximum for getpass(3), which we're replacing. While doing that, I notice that my previous implementation also had another bug (minor): The maximum password length was PASS_MAX - 1 instead of PASS_MAX. That's also fixed in this commit. Reported-by: David Mudrich <dmudrich@gmx.de> Fixes: 155c9421b935 ("libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely") Cc: Iker Pedrosa <ipedrosa@redhat.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-02-19 23:56:56 +05:30
freezero(pass, PASS_MAX + 2);
libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely There are several issues with getpass(3). Many implementations of it share the same issues that the infamous gets(3). In glibc it's not so terrible, since it's a wrapper around getline(3). But it still has an important bug: If the password is long enough, getline(3) will realloc(3) memory, and prefixes of the password will be laying around in some deallocated memory. See the getpass(3) manual page for more details, and especially the commit that marked it as deprecated, which links to a long discussion in the linux-man@ mailing list. So, readpassphrase(3bsd) is preferrable, which is provided by libbsd on GNU systems. However, using readpassphrase(3) directly is a bit verbose, so we can write our own wrapper with a simpler interface similar to that of getpass(3). One of the benefits of writing our own interface around readpassphrase(3) is that we can hide there any checks that should be done always and which would be error-prone to repeat every time. For example, check that there was no truncation in the password. Also, use malloc(3) to get the buffer, instead of using a global buffer. We're not using a multithreaded program (and it wouldn't make sense to do so), but it's nice to know that the visibility of our passwords is as limited as possible. erase_pass() is a clean-up function that handles all clean-up correctly, including zeroing the entire buffer, and then free(3)ing the memory. By using [[gnu::malloc(erase_pass)]], we make sure that we don't leak the buffers in any case, since the compiler will be able to enforce clean up. Link: <https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit?id=7ca189099d73bde954eed2d7fc21732bcc8ddc6b> Reported-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-09-27 01:52:24 +05:30
return NULL;
}
void
erase_pass(char *pass)
{
libmisc: agetpass(): Fix bug detecting truncation On 2/19/23 18:09, David Mudrich wrote: > I am working on a RAM based Linux OS from source, and try to use > latest versions of all software. I found shadow needs libbsd's > readpassphrase(3) as superior alternative to getpass(3). While > considering if I a) include libbsd, or include libbsd's code of > readpassphrase(3) into shadow, found, that libbsd's readpassphrase(3) > never returns \n or \r > <https://cgit.freedesktop.org/libbsd/tree/src/readpassphrase.c> > line 122, while agetpass() uses a check for \n in agetpass.c line 108. > I assume it always fails. Indeed, it always failed. I made a mistake when writing agetpass(), assuming that readpassphrase(3) would keep newlines. > > I propose a check of len == PASS_MAX - 1, with false positive error for > exactly PASS_MAX - 1 long passwords. Instead, I added an extra byte to the allocation to allow a maximum password length of PASS_MAX (which is the maximum for getpass(3), which we're replacing. While doing that, I notice that my previous implementation also had another bug (minor): The maximum password length was PASS_MAX - 1 instead of PASS_MAX. That's also fixed in this commit. Reported-by: David Mudrich <dmudrich@gmx.de> Fixes: 155c9421b935 ("libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely") Cc: Iker Pedrosa <ipedrosa@redhat.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2023-02-19 23:56:56 +05:30
freezero(pass, PASS_MAX + 2);
libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely There are several issues with getpass(3). Many implementations of it share the same issues that the infamous gets(3). In glibc it's not so terrible, since it's a wrapper around getline(3). But it still has an important bug: If the password is long enough, getline(3) will realloc(3) memory, and prefixes of the password will be laying around in some deallocated memory. See the getpass(3) manual page for more details, and especially the commit that marked it as deprecated, which links to a long discussion in the linux-man@ mailing list. So, readpassphrase(3bsd) is preferrable, which is provided by libbsd on GNU systems. However, using readpassphrase(3) directly is a bit verbose, so we can write our own wrapper with a simpler interface similar to that of getpass(3). One of the benefits of writing our own interface around readpassphrase(3) is that we can hide there any checks that should be done always and which would be error-prone to repeat every time. For example, check that there was no truncation in the password. Also, use malloc(3) to get the buffer, instead of using a global buffer. We're not using a multithreaded program (and it wouldn't make sense to do so), but it's nice to know that the visibility of our passwords is as limited as possible. erase_pass() is a clean-up function that handles all clean-up correctly, including zeroing the entire buffer, and then free(3)ing the memory. By using [[gnu::malloc(erase_pass)]], we make sure that we don't leak the buffers in any case, since the compiler will be able to enforce clean up. Link: <https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit?id=7ca189099d73bde954eed2d7fc21732bcc8ddc6b> Reported-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-09-27 01:52:24 +05:30
}
Reference in New Issue Copy Permalink