1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
|
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <termios.h>
#include <unistd.h>
#include "insecure_memzero.h"
#include "warnp.h"
#include "readpass.h"
#define MAXPASSLEN 2048
/* Signals we need to block. */
static const int badsigs[] = {
SIGALRM, SIGHUP, SIGINT,
SIGPIPE, SIGQUIT, SIGTERM,
SIGTSTP, SIGTTIN, SIGTTOU
};
#define NSIGS sizeof(badsigs)/sizeof(badsigs[0])
/* Highest signal number we care about. */
#define MAX2(a, b) ((a) > (b) ? (a) : (b))
#define MAX4(a, b, c, d) MAX2(MAX2(a, b), MAX2(c, d))
#define MAX8(a, b, c, d, e, f, g, h) MAX2(MAX4(a, b, c, d), MAX4(e, f, g, h))
#define MAXBADSIG MAX2(SIGALRM, MAX8(SIGHUP, SIGINT, SIGPIPE, SIGQUIT, \
SIGTERM, SIGTSTP, SIGTTIN, SIGTTOU))
/* Has a signal of this type been received? */
static volatile sig_atomic_t gotsig[MAXBADSIG + 1];
/* Signal handler. */
static void
handle(int sig)
{
gotsig[sig] = 1;
}
/* Restore old signals and re-issue intercepted signals. */
static void
resetsigs(struct sigaction savedsa[NSIGS])
{
size_t i;
/* Restore old signals. */
for (i = 0; i < NSIGS; i++)
sigaction(badsigs[i], &savedsa[i], NULL);
/* If we intercepted a signal, re-issue it. */
for (i = 0; i < NSIGS; i++) {
if (gotsig[badsigs[i]])
raise(badsigs[i]);
}
}
/**
* readpass(passwd, prompt, confirmprompt, devtty)
* If ${devtty} is non-zero, read a password from /dev/tty if possible; if
* not, read from stdin. If reading from a tty (either /dev/tty or stdin),
* disable echo and prompt the user by printing ${prompt} to stderr. If
* ${confirmprompt} is non-NULL, read a second password (prompting if a
* terminal is being used) and repeat until the user enters the same password
* twice. Return the password as a malloced NUL-terminated string via
* ${passwd}.
*/
int
readpass(char ** passwd, const char * prompt,
const char * confirmprompt, int devtty)
{
FILE * readfrom;
char passbuf[MAXPASSLEN];
char confpassbuf[MAXPASSLEN];
struct sigaction sa, savedsa[NSIGS];
struct termios term, term_old;
size_t i;
int usingtty;
/*
* If devtty != 0, try to open /dev/tty; if that fails, or if devtty
* is zero, we'll read the password from stdin instead.
*/
if ((devtty == 0) || ((readfrom = fopen("/dev/tty", "r")) == NULL))
readfrom = stdin;
/* We have not received any signals yet. */
for (i = 0; i <= MAXBADSIG; i++)
gotsig[i] = 0;
/*
* If we receive a signal while we're reading the password, we might
* end up with echo disabled; to prevent this, we catch the signals
* here, and we'll re-send them to ourselves later after we re-enable
* terminal echo.
*/
sa.sa_handler = handle;
sa.sa_flags = 0;
sigemptyset(&sa.sa_mask);
for (i = 0; i < NSIGS; i++)
sigaction(badsigs[i], &sa, &savedsa[i]);
/* If we're reading from a terminal, try to disable echo. */
if ((usingtty = isatty(fileno(readfrom))) != 0) {
if (tcgetattr(fileno(readfrom), &term_old)) {
warnp("Cannot read terminal settings");
goto err2;
}
memcpy(&term, &term_old, sizeof(struct termios));
term.c_lflag = (term.c_lflag & ~((tcflag_t)ECHO)) | ECHONL;
if (tcsetattr(fileno(readfrom), TCSANOW, &term)) {
warnp("Cannot set terminal settings");
goto err2;
}
}
retry:
/* If we have a terminal, prompt the user to enter the password. */
if (usingtty)
fprintf(stderr, "%s: ", prompt);
/* Read the password. */
if (fgets(passbuf, MAXPASSLEN, readfrom) == NULL) {
if (feof(readfrom))
warn0("EOF reading password");
else
warnp("Cannot read password");
goto err3;
}
/* Confirm the password if necessary. */
if (confirmprompt != NULL) {
if (usingtty)
fprintf(stderr, "%s: ", confirmprompt);
if (fgets(confpassbuf, MAXPASSLEN, readfrom) == NULL) {
if (feof(readfrom))
warn0("EOF reading password");
else
warnp("Cannot read password");
goto err3;
}
if (strcmp(passbuf, confpassbuf)) {
fprintf(stderr,
"Passwords mismatch, please try again\n");
goto retry;
}
}
/* Terminate the string at the first "\r" or "\n" (if any). */
passbuf[strcspn(passbuf, "\r\n")] = '\0';
/* If we changed terminal settings, reset them. */
if (usingtty)
tcsetattr(fileno(readfrom), TCSANOW, &term_old);
/* Restore old signals and re-issue intercepted signals. */
resetsigs(savedsa);
/* Close /dev/tty if we opened it. */
if (readfrom != stdin)
fclose(readfrom);
/* Copy the password out. */
if ((*passwd = strdup(passbuf)) == NULL) {
warnp("Cannot allocate memory");
goto err1;
}
/*
* Zero any stored passwords. This is not guaranteed to work, since a
* "sufficiently intelligent" compiler can optimize these out due to
* the values not being accessed again; and even if we outwitted the
* compiler, all we can do is ensure that *a* buffer is zeroed but
* not that it is the only buffer containing the data in question.
* Unfortunately the C standard does not provide any way to mark data
* as "sensitive" in order to prevent extra copies being sprinkled
* around the implementation address space.
*/
insecure_memzero(passbuf, MAXPASSLEN);
insecure_memzero(confpassbuf, MAXPASSLEN);
/* Success! */
return (0);
err3:
/* Reset terminal settings if necessary. */
if (usingtty)
tcsetattr(fileno(readfrom), TCSAFLUSH, &term_old);
err2:
/* Close /dev/tty if we opened it. */
if (readfrom != stdin)
fclose(readfrom);
/* Restore old signals and re-issue intercepted signals. */
resetsigs(savedsa);
err1:
/* Zero any stored passwords. */
insecure_memzero(passbuf, MAXPASSLEN);
insecure_memzero(confpassbuf, MAXPASSLEN);
/* Failure! */
return (-1);
}
|
