diff --git a/lib/Makefile.am b/lib/Makefile.am index 6045bab2e..02d482f0a 100644 --- a/lib/Makefile.am +++ b/lib/Makefile.am @@ -27,8 +27,6 @@ libshadow_la_SOURCES = \ adds.c \ adds.h \ age.c \ - agetpass.c \ - agetpass.h \ alloc/calloc.c \ alloc/calloc.h \ alloc/malloc.c \ diff --git a/lib/agetpass.c b/lib/agetpass.c deleted file mode 100644 index c3bd0eee9..000000000 --- a/lib/agetpass.c +++ /dev/null @@ -1,127 +0,0 @@ -/* - * SPDX-FileCopyrightText: 2022, Alejandro Colomar - * - * SPDX-License-Identifier: BSD-3-Clause - */ - - -#include - -#include "agetpass.h" - -#include -#include -#include - -#ident "$Id$" - -#include "alloc/malloc.h" -#include "pass.h" - - -/* - * SYNOPSIS - * [[gnu::malloc(erase_pass)]] - * char *agetpass(const char *prompt); - * char *agetpass_stdin(); - * - * void erase_pass(char *pass); - * - * ARGUMENTS - * agetpass() - * prompt String to be printed before reading a password. - * - * erase_pass() - * pass password previously returned by agetpass(). - * - * DESCRIPTION - * agetpass() - * This function is very similar to getpass(3). It has several - * advantages compared to getpass(3): - * - * - Instead of using a static buffer, agetpass() allocates memory - * through malloc(3). This makes the function thread-safe, and - * also reduces the visibility of the buffer. - * - * - agetpass() doesn't reallocate internally. Some - * implementations of getpass(3), such as glibc, do that, as a - * consequence of calling getline(3). That's a bug in glibc, - * which allows leaking prefixes of passwords in freed memory. - * - * - agetpass() doesn't overrun the output buffer. If the input - * password is too long, it simply fails. Some implementations - * of getpass(3), share the same bug that gets(3) has. - * - * As soon as possible, the password obtained from agetpass() be - * erased by calling erase_pass(), to avoid possibly leaking the - * password. - * - * agetpass_stdin() - * This function is the same as previous one (agetpass). Just the - * password is read from stdin and terminal is not required. - * - * erase_pass() - * This function first clears the password, by calling - * explicit_bzero(3) (or an equivalent call), and then frees the - * allocated memory by calling free(3). - * - * NULL is a valid input pointer, and in such a case, this call is - * a no-op. - * - * RETURN VALUE - * agetpass() returns a newly allocated buffer containing the - * password on success. On error, errno is set to indicate the - * error, and NULL is returned. - * - * ERRORS - * agetpass() - * This function may fail for any errors that malloc(3) or - * readpassphrase(3) may fail, and in addition it may fail for the - * following errors: - * - * ENOBUFS - * The input password was longer than PASS_MAX. - * - * CAVEATS - * If a password is passed twice to erase_pass(), the behavior is - * undefined. - */ - - -static char * -agetpass_internal(const char *prompt, int flags) -{ - char *pass; - size_t len; - - pass = MALLOC(PASS_MAX + 2, char); - if (pass == NULL) - return NULL; - - if (readpass(pass, prompt, flags) == NULL) - goto fail; - - return pass; - -fail: - free(pass); - return NULL; -} - -char * -agetpass(const char *prompt) -{ - return agetpass_internal(prompt, RPP_REQUIRE_TTY); -} - -char * -agetpass_stdin() -{ - return agetpass_internal(NULL, RPP_STDIN); -} - -void -erase_pass(char *pass) -{ - free(passzero(pass)); -} diff --git a/lib/agetpass.h b/lib/agetpass.h deleted file mode 100644 index 4a4444e1d..000000000 --- a/lib/agetpass.h +++ /dev/null @@ -1,23 +0,0 @@ -/* - * SPDX-FileCopyrightText: 2022-2023, Alejandro Colomar - * SPDX-License-Identifier: BSD-3-Clause - */ - - -#ifndef SHADOW_INCLUDE_LIB_AGETPASS_H_ -#define SHADOW_INCLUDE_LIB_AGETPASS_H_ - - -#include - -#include "attr.h" -#include "defines.h" - - -void erase_pass(char *pass); -ATTR_MALLOC(erase_pass) -char *agetpass(const char *prompt); -char *agetpass_stdin(); - - -#endif // include guard