From patchwork Wed Jan 13 08:19:05 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?T=C3=B5ivo_Leedj=C3=A4rv?= X-Patchwork-Id: 1560 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 4LX+BvtH/1+DFQAAIUCqbw (envelope-from ) for ; Wed, 13 Jan 2021 14:20:27 -0500 Received: from proxy5.mail.ord1d.rsapps.net ([172.30.191.6]) by director13.mail.ord1d.rsapps.net with LMTP id sCTZBvtH/1/EZQAA91zNiA (envelope-from ) for ; Wed, 13 Jan 2021 14:20:27 -0500 Received: from smtp39.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.ord1d.rsapps.net with LMTPS id kEuHBvtH/19ALAAA8Zzt7w (envelope-from ) for ; Wed, 13 Jan 2021 14:20:27 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp39.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 63a6c032-55d4-11eb-a9bf-525400a97bbc-1-1 Received: from [216.105.38.7] ([216.105.38.7:55062] helo=lists.sourceforge.net) by smtp39.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 03/71-10287-AF74FFF5; Wed, 13 Jan 2021 14:20:26 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1kzlg7-0007rE-MY; Wed, 13 Jan 2021 19:19:35 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kzlg6-0007r1-JA for openvpn-devel@lists.sourceforge.net; Wed, 13 Jan 2021 19:19:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Content-Type:To:Subject: Message-ID:Date:From:MIME-Version:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=nZBmsrlwJnPvxhv8ow5ZOE+6RiVnLk4G7o5mYCSc0bU=; b=kLJCA9IQYxZPed3jRpC0J0Q4V8 XDDB7o2dMgjGL3y9NeioIZ+uVjT7/7fjWvbEzI2uBZ6/HXxd26I1occ6p4eKH5six3QJutjg0RTTh 6/qFKqgzdjadyRdOmGHHAaBKyYwtrCHd+mn4pZWYoZ4qLLSjg2E3XpouNHAYYt+s/0So=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Content-Type:To:Subject:Message-ID:Date:From: MIME-Version:Sender:Reply-To:Cc:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=nZBmsrlwJnPvxhv8ow5ZOE+6RiVnLk4G7o5mYCSc0bU=; b=Q Bq8ogBLaBL9dRED+iSKe1yjgvE4C964fEymfpz8fXMc+XKwvivFvdc/4n8uROBvtu2RJ3XGWo2fRN licYKjuNrIfM8+HQ0Ap8iTv/EgzCbpA115fKdC1i3Ce60kJgjjPId1PuftyeXt3YQKmARBuGALR/5 3e0koVD4zMUtQpvQ=; Received: from mail-vs1-f49.google.com ([209.85.217.49]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) id 1kzlg1-003LAz-Kc for openvpn-devel@lists.sourceforge.net; Wed, 13 Jan 2021 19:19:34 +0000 Received: by mail-vs1-f49.google.com with SMTP id b23so1739652vsp.9 for ; Wed, 13 Jan 2021 11:19:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=nZBmsrlwJnPvxhv8ow5ZOE+6RiVnLk4G7o5mYCSc0bU=; b=bqXUQO65hO7HYG7iR41qCs5QAW4uhFGlKx4xvF3zgFhatE0avAbpjE6DDiS1arPkeA E0tPKH0jdErLA52ogpsVDviEYeHNiEVeastKsmk2zzvYwZ6V7BjfzxxlSC1Z8+QGZe/2 TmNt1uJq+vnL06NfuxTX+uBeEAewnbvqnYxUIUDn/mz5u+QgCbkj/cX5f0+3HGC+Ncze sgTleLJL1YI/tguWznHXLmIcTc05v1VvrPP6P7PfGBHrnuz7rqOHwTSR3Vrfzsb2Q+hv /l7hiWyM+gUSzga/rmO0PB4c8/o4hJw/xECaxw+5cUk+OiKnZyS6zv9h7PjTkMo415tL 81lw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=nZBmsrlwJnPvxhv8ow5ZOE+6RiVnLk4G7o5mYCSc0bU=; b=DfUxUhidhCOovNWNNAxZv2uEqw5GDKYP7KVTBT9PdPTSFlS10APH44vEebyWX3ED1v +TDpPdgkyxzPe+jtUW/mUFdbFdzX4Og+/xwsvZq4xOBKmzmo1kKc+tI3YEhydis5TZuM nfkCj0GtIdAsFXGYSDQVRTl7QhFojavogkynZUs4UZhf/14wi6fV/u9gDZNQAdj3cNyt DCCzXAZhbnrxnPcEL+o1hoy+7jQqOjNIVeSyC+9D5vDusE4s45t23+DKkZxJKfmkI3VD XijbN8zMLF4PfBZ4hOlIoP5FcllU0AAWxK9PDCAM/Ju2EKsWunamnEq1emmqI9aJ1X2G mfyw== X-Gm-Message-State: AOAM530g5n7MI5djfCjX1O5eqF5UDpuCb8Qq5Tip8pf8DiXbhfNFdSUW afZ7uvgDm9O6UCnrAL9mj3Mfti8PnWlFfvzvIDvZr4xWivI= X-Google-Smtp-Source: ABdhPJwUsj3IGOGio8CGC8q6GV4o+89xdic+DE8x+z0UU3wc70Rqp721JIBHCFjdWup7NUCZqA9HCUCxj5iyfvxjGiI= X-Received: by 2002:a67:fb46:: with SMTP id e6mr3935940vsr.40.1610565556611; Wed, 13 Jan 2021 11:19:16 -0800 (PST) MIME-Version: 1.0 From: =?utf-8?q?T=C3=B5ivo_Leedj=C3=A4rv?= Date: Wed, 13 Jan 2021 20:19:05 +0100 Message-ID: To: openvpn-devel@lists.sourceforge.net X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (toivol[at]gmail.com) 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: configure.ac] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.217.49 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.217.49 listed in wl.mailspike.net] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1kzlg1-003LAz-Kc Subject: [Openvpn-devel] [PATCH] Stop using deprecated getpass() X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The getpass() function is present in SUSv2, but marked LEGACY. It is removed in POSIX.1-2001. Additionally, on Solaris getpass() returns maximum 8 bytes. This will make longer passwords fail with no possibility for user to know what is happening. This patch removes usage of getpass() completely and replaces it with direct implementation of what getpass() does: opens tty (existing code), outputs the prompt (existing code), turns off echoing (new code), reads one line (existing code shared with echoed mode), restores tty state (new code) and closes tty (existing code). Signed-off-by: Tõivo Leedjärv <69477666+tleedjarv@users.noreply.github.com> --- configure.ac | 4 ++- src/openvpn/console_builtin.c | 63 +++++++++++++++++++++-------------- 2 files changed, 41 insertions(+), 26 deletions(-) * Open the current console TTY for read/write operations @@ -177,7 +181,7 @@ close_tty(FILE *fp) } } -#endif /* HAVE_GETPASS */ +#endif /* HAVE_TERMIOS_H */ /** @@ -201,7 +205,9 @@ get_console_input(const char *prompt, const bool echo, char *input, const int ca #if defined(_WIN32) return get_console_input_win32(prompt, echo, input, capacity); -#elif defined(HAVE_GETPASS) +#elif defined(HAVE_TERMIOS_H) + int restore_tty = 0; + struct termios tty_a, tty_save; /* did we --daemon'ize before asking for passwords? * (in which case neither stdin or stderr are connected to a tty and @@ -220,33 +226,40 @@ get_console_input(const char *prompt, const bool echo, char *input, const int ca close(fd); } - if (echo) - { - FILE *fp; + FILE *fp; - fp = open_tty(true); - fprintf(fp, "%s", prompt); - fflush(fp); - close_tty(fp); + fp = open_tty(true); + fprintf(fp, "%s", prompt); + fflush(fp); + close_tty(fp); - fp = open_tty(false); - if (fgets(input, capacity, fp) != NULL) - { - chomp(input); - ret = true; - } - close_tty(fp); + fp = open_tty(false); + + if (!echo && (tcgetattr(fileno(fp), &tty_a) == 0)) + { + tty_save = tty_a; + tty_a.c_lflag &= ~(ECHO | ECHOE | ECHOK | ECHONL | ISIG); + restore_tty = (tcsetattr(fileno(fp), TCSAFLUSH, &tty_a) == 0); } - else + + if (fgets(input, capacity, fp) != NULL) { - char *gp = getpass(prompt); - if (gp) - { - strncpynt(input, gp, capacity); - secure_memzero(gp, strlen(gp)); - ret = true; - } + chomp(input); + ret = true; } + + if (!echo && restore_tty) + { + (void) tcsetattr(fileno(fp), TCSAFLUSH, &tty_save); + + /* Echo the non-echoed newline */ + close_tty(fp); + fp = open_tty(true); + fprintf(fp, "\n"); + fflush(fp); + } + + close_tty(fp); #else /* if defined(_WIN32) */ msg(M_FATAL, "Sorry, but I can't get console input on this OS (%s)", prompt); #endif /* if defined(_WIN32) */ diff --git a/configure.ac b/configure.ac index 1ab8fe59..2c094da7 100644 --- a/configure.ac +++ b/configure.ac @@ -645,7 +645,7 @@ AC_FUNC_FORK AC_CHECK_FUNCS([ \ daemon chroot getpwnam setuid nice system getpid dup dup2 \ - getpass syslog openlog mlockall getgrnam setgid \ + syslog openlog mlockall getgrnam setgid \ setgroups stat flock readv writev time gettimeofday \ ctime memset vsnprintf strdup \ setsid chdir putenv getpeername unlink \ @@ -653,6 +653,8 @@ AC_CHECK_FUNCS([ \ epoll_create strsep \ ]) +AC_CHECK_HEADERS([termios.h]) + AC_CHECK_LIB( [dl], [dlopen], diff --git a/src/openvpn/console_builtin.c b/src/openvpn/console_builtin.c index 445928bf..f1d91b32 100644 --- a/src/openvpn/console_builtin.c +++ b/src/openvpn/console_builtin.c @@ -40,6 +40,10 @@ #include "buffer.h" #include "misc.h" +#ifdef HAVE_TERMIOS_H +#include +#endif + #ifdef _WIN32 #include "win32.h" @@ -138,7 +142,7 @@ get_console_input_win32(const char *prompt, const bool echo, char *input, const #endif /* _WIN32 */ -#ifdef HAVE_GETPASS +#ifdef HAVE_TERMIOS_H /**