Delete obsolete /* ARGSUSED */ lint comments.

ok miod@ millert@

Check auth_mkvalue(3) return value for NULL (malloc failure).
For constant strings we don't actually need to use auth_mkvalue(3).
Problem reported by Ross L Richardson.

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

I am retiring my old email address; replace it with my OpenBSD one.

When login_skey was called for a user without skey, it crashed with
NULL pointer dereference. It tried to pass a file descriptor that
did not exist. This has to be done conditionally.
bug found by Raimund Specht with process accounting; OK millert@

Implement real "flock" request and add it to userland programs that
use pledge and file locking. OK deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

comment spelling fix: ARSGUSED -> ARGSUSED

msg_controllen has to be CMSG_SPACE so that the kernel can account for
each cmsg_len (ie. msg_controllen = sum of CMSG_ALIGN(cmsg_len). This
works now that kernel fd passing has been fixed to accept a bit of
sloppiness because of this ABI repair.
lots of discussion with kettenis

Repair the simple cases for msg_controllen where it should just be
CMSG_SIZE(sizeof(int)), not sizeof(buffer) which may be larger because
of alignment; ok kettenis hshoexer

Correct CMSG_SPACE and CMSG_LEN usage everywhere in the tree. Due to
an extensive discussion with otto, kettenis, millert, and hshoexer

Remove the space after "Password:" in password prompts where echo is
turned off. This is consistent with historic UNIX behavior.

"interupt" -> "interrupt" in various comments. Mostly from Diego Casati.

ARGSUSED signal handler

Use CMSG_SPACE when allocating space for the control message.
Fixes fd passing problems on sparc and sparc64. OK henning@

Rename confusing variable for readability's sake. No actual code changes.

spacing

Add support for passing an fd to the user's S/Key record back and
forth between login_skey and the invoking process. This allows us
to keep the record locked between an invocation of login_skey that
receives the challenge and another that verifies the response,
preventing an interloper from sniffing the challenge and beating
the legitimate user to the response.

More checking for a NULL return value from getpass(). otto@ OK

ansi; ok millert pvalchev

minor indent cleanup

minor KNF

a few more strlcat

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Catch SIGINT, SIGQUIT and SIGTSTP but ignore during the database
update. We have to be careful and drop our lock if we are suspended
and then regain the lock on resume. This is necessary because the
user must not be allowed to keep a record locked for a long period
of time to avoid a DoS. We must be sure to re-lock when we resume
because otherwise an attacker could suspend us until a user starts
to login and then resume and then race the user for login using
the challenge response from the user.

Do not set handler for SIGINT and SIGQUIT to SIG_IGN since it prevents
getpass()/readpassphrase() from being able to restore the tty mode
on keyboard interrupt. Along with the recent readpassphrase.c commit
this means that if you ^C things that use login scripts (like su(1))
with a non-CBREAK shell your tty mode will be restored nicely.

TODO:
The various login scripts need to install handlers to avoid leaving
turd files or otherwise ending in a bad state. It would also be
nice to send BI_REJECT to the back channel.

getopt(3) returns -1 when out of args, not EOF.

millert@ ok

Remove instance stuff now that su uses an explicit option to specify
the invoking user.

Add an alarm to implement as timeout on the locked record.

skey login script; authenticates the user via S/Key
will be used when BSD authentication is enabled

Check auth_mkvalue(3) return value for NULL (malloc failure).
For constant strings we don't actually need to use auth_mkvalue(3).
Problem reported by Ross L Richardson.

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

I am retiring my old email address; replace it with my OpenBSD one.

When login_skey was called for a user without skey, it crashed with
NULL pointer dereference. It tried to pass a file descriptor that
did not exist. This has to be done conditionally.
bug found by Raimund Specht with process accounting; OK millert@

Implement real "flock" request and add it to userland programs that
use pledge and file locking. OK deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

comment spelling fix: ARSGUSED -> ARGSUSED

msg_controllen has to be CMSG_SPACE so that the kernel can account for
each cmsg_len (ie. msg_controllen = sum of CMSG_ALIGN(cmsg_len). This
works now that kernel fd passing has been fixed to accept a bit of
sloppiness because of this ABI repair.
lots of discussion with kettenis

Repair the simple cases for msg_controllen where it should just be
CMSG_SIZE(sizeof(int)), not sizeof(buffer) which may be larger because
of alignment; ok kettenis hshoexer

Correct CMSG_SPACE and CMSG_LEN usage everywhere in the tree. Due to
an extensive discussion with otto, kettenis, millert, and hshoexer

Remove the space after "Password:" in password prompts where echo is
turned off. This is consistent with historic UNIX behavior.

"interupt" -> "interrupt" in various comments. Mostly from Diego Casati.

ARGSUSED signal handler

Use CMSG_SPACE when allocating space for the control message.
Fixes fd passing problems on sparc and sparc64. OK henning@

Rename confusing variable for readability's sake. No actual code changes.

spacing

Add support for passing an fd to the user's S/Key record back and
forth between login_skey and the invoking process. This allows us
to keep the record locked between an invocation of login_skey that
receives the challenge and another that verifies the response,
preventing an interloper from sniffing the challenge and beating
the legitimate user to the response.

More checking for a NULL return value from getpass(). otto@ OK

ansi; ok millert pvalchev

minor indent cleanup

minor KNF

a few more strlcat

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Catch SIGINT, SIGQUIT and SIGTSTP but ignore during the database
update. We have to be careful and drop our lock if we are suspended
and then regain the lock on resume. This is necessary because the
user must not be allowed to keep a record locked for a long period
of time to avoid a DoS. We must be sure to re-lock when we resume
because otherwise an attacker could suspend us until a user starts
to login and then resume and then race the user for login using
the challenge response from the user.

Do not set handler for SIGINT and SIGQUIT to SIG_IGN since it prevents
getpass()/readpassphrase() from being able to restore the tty mode
on keyboard interrupt. Along with the recent readpassphrase.c commit
this means that if you ^C things that use login scripts (like su(1))
with a non-CBREAK shell your tty mode will be restored nicely.

TODO:
The various login scripts need to install handlers to avoid leaving
turd files or otherwise ending in a bad state. It would also be
nice to send BI_REJECT to the back channel.

getopt(3) returns -1 when out of args, not EOF.

millert@ ok

Remove instance stuff now that su uses an explicit option to specify
the invoking user.

Add an alarm to implement as timeout on the locked record.

skey login script; authenticates the user via S/Key
will be used when BSD authentication is enabled

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

I am retiring my old email address; replace it with my OpenBSD one.

When login_skey was called for a user without skey, it crashed with
NULL pointer dereference. It tried to pass a file descriptor that
did not exist. This has to be done conditionally.
bug found by Raimund Specht with process accounting; OK millert@

Implement real "flock" request and add it to userland programs that
use pledge and file locking. OK deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

comment spelling fix: ARSGUSED -> ARGSUSED

msg_controllen has to be CMSG_SPACE so that the kernel can account for
each cmsg_len (ie. msg_controllen = sum of CMSG_ALIGN(cmsg_len). This
works now that kernel fd passing has been fixed to accept a bit of
sloppiness because of this ABI repair.
lots of discussion with kettenis

Repair the simple cases for msg_controllen where it should just be
CMSG_SIZE(sizeof(int)), not sizeof(buffer) which may be larger because
of alignment; ok kettenis hshoexer

Correct CMSG_SPACE and CMSG_LEN usage everywhere in the tree. Due to
an extensive discussion with otto, kettenis, millert, and hshoexer

Remove the space after "Password:" in password prompts where echo is
turned off. This is consistent with historic UNIX behavior.

"interupt" -> "interrupt" in various comments. Mostly from Diego Casati.

ARGSUSED signal handler

Use CMSG_SPACE when allocating space for the control message.
Fixes fd passing problems on sparc and sparc64. OK henning@

Rename confusing variable for readability's sake. No actual code changes.

spacing

Add support for passing an fd to the user's S/Key record back and
forth between login_skey and the invoking process. This allows us
to keep the record locked between an invocation of login_skey that
receives the challenge and another that verifies the response,
preventing an interloper from sniffing the challenge and beating
the legitimate user to the response.

More checking for a NULL return value from getpass(). otto@ OK

ansi; ok millert pvalchev

minor indent cleanup

minor KNF

a few more strlcat

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Catch SIGINT, SIGQUIT and SIGTSTP but ignore during the database
update. We have to be careful and drop our lock if we are suspended
and then regain the lock on resume. This is necessary because the
user must not be allowed to keep a record locked for a long period
of time to avoid a DoS. We must be sure to re-lock when we resume
because otherwise an attacker could suspend us until a user starts
to login and then resume and then race the user for login using
the challenge response from the user.

Do not set handler for SIGINT and SIGQUIT to SIG_IGN since it prevents
getpass()/readpassphrase() from being able to restore the tty mode
on keyboard interrupt. Along with the recent readpassphrase.c commit
this means that if you ^C things that use login scripts (like su(1))
with a non-CBREAK shell your tty mode will be restored nicely.

TODO:
The various login scripts need to install handlers to avoid leaving
turd files or otherwise ending in a bad state. It would also be
nice to send BI_REJECT to the back channel.

getopt(3) returns -1 when out of args, not EOF.

millert@ ok

Remove instance stuff now that su uses an explicit option to specify
the invoking user.

Add an alarm to implement as timeout on the locked record.

skey login script; authenticates the user via S/Key
will be used when BSD authentication is enabled

I am retiring my old email address; replace it with my OpenBSD one.

When login_skey was called for a user without skey, it crashed with
NULL pointer dereference. It tried to pass a file descriptor that
did not exist. This has to be done conditionally.
bug found by Raimund Specht with process accounting; OK millert@

Implement real "flock" request and add it to userland programs that
use pledge and file locking. OK deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

comment spelling fix: ARSGUSED -> ARGSUSED

msg_controllen has to be CMSG_SPACE so that the kernel can account for
each cmsg_len (ie. msg_controllen = sum of CMSG_ALIGN(cmsg_len). This
works now that kernel fd passing has been fixed to accept a bit of
sloppiness because of this ABI repair.
lots of discussion with kettenis

Repair the simple cases for msg_controllen where it should just be
CMSG_SIZE(sizeof(int)), not sizeof(buffer) which may be larger because
of alignment; ok kettenis hshoexer

Correct CMSG_SPACE and CMSG_LEN usage everywhere in the tree. Due to
an extensive discussion with otto, kettenis, millert, and hshoexer

Remove the space after "Password:" in password prompts where echo is
turned off. This is consistent with historic UNIX behavior.

"interupt" -> "interrupt" in various comments. Mostly from Diego Casati.

ARGSUSED signal handler

Use CMSG_SPACE when allocating space for the control message.
Fixes fd passing problems on sparc and sparc64. OK henning@

Rename confusing variable for readability's sake. No actual code changes.

spacing

Add support for passing an fd to the user's S/Key record back and
forth between login_skey and the invoking process. This allows us
to keep the record locked between an invocation of login_skey that
receives the challenge and another that verifies the response,
preventing an interloper from sniffing the challenge and beating
the legitimate user to the response.

More checking for a NULL return value from getpass(). otto@ OK

ansi; ok millert pvalchev

minor indent cleanup

minor KNF

a few more strlcat

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Catch SIGINT, SIGQUIT and SIGTSTP but ignore during the database
update. We have to be careful and drop our lock if we are suspended
and then regain the lock on resume. This is necessary because the
user must not be allowed to keep a record locked for a long period
of time to avoid a DoS. We must be sure to re-lock when we resume
because otherwise an attacker could suspend us until a user starts
to login and then resume and then race the user for login using
the challenge response from the user.

Do not set handler for SIGINT and SIGQUIT to SIG_IGN since it prevents
getpass()/readpassphrase() from being able to restore the tty mode
on keyboard interrupt. Along with the recent readpassphrase.c commit
this means that if you ^C things that use login scripts (like su(1))
with a non-CBREAK shell your tty mode will be restored nicely.

TODO:
The various login scripts need to install handlers to avoid leaving
turd files or otherwise ending in a bad state. It would also be
nice to send BI_REJECT to the back channel.

getopt(3) returns -1 when out of args, not EOF.

millert@ ok

Remove instance stuff now that su uses an explicit option to specify
the invoking user.

Add an alarm to implement as timeout on the locked record.

skey login script; authenticates the user via S/Key
will be used when BSD authentication is enabled

When login_skey was called for a user without skey, it crashed with
NULL pointer dereference. It tried to pass a file descriptor that
did not exist. This has to be done conditionally.
bug found by Raimund Specht with process accounting; OK millert@

Implement real "flock" request and add it to userland programs that
use pledge and file locking. OK deraadt@

Replace <sys/param.h> with <limits.h> and other less dirty headers where
possible. Annotate <sys/param.h> lines with their current reasons. Switch
to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change
MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where
sensible to avoid pulling in the pollution. These are the files confirmed
through binary verification.
ok guenther, millert, doug (helped with the verification protocol)

comment spelling fix: ARSGUSED -> ARGSUSED

msg_controllen has to be CMSG_SPACE so that the kernel can account for
each cmsg_len (ie. msg_controllen = sum of CMSG_ALIGN(cmsg_len). This
works now that kernel fd passing has been fixed to accept a bit of
sloppiness because of this ABI repair.
lots of discussion with kettenis

Repair the simple cases for msg_controllen where it should just be
CMSG_SIZE(sizeof(int)), not sizeof(buffer) which may be larger because
of alignment; ok kettenis hshoexer

Correct CMSG_SPACE and CMSG_LEN usage everywhere in the tree. Due to
an extensive discussion with otto, kettenis, millert, and hshoexer

Remove the space after "Password:" in password prompts where echo is
turned off. This is consistent with historic UNIX behavior.

"interupt" -> "interrupt" in various comments. Mostly from Diego Casati.

ARGSUSED signal handler

Use CMSG_SPACE when allocating space for the control message.
Fixes fd passing problems on sparc and sparc64. OK henning@

Rename confusing variable for readability's sake. No actual code changes.

spacing

Add support for passing an fd to the user's S/Key record back and
forth between login_skey and the invoking process. This allows us
to keep the record locked between an invocation of login_skey that
receives the challenge and another that verifies the response,
preventing an interloper from sniffing the challenge and beating
the legitimate user to the response.

More checking for a NULL return value from getpass(). otto@ OK

ansi; ok millert pvalchev

minor indent cleanup

minor KNF

a few more strlcat

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

Catch SIGINT, SIGQUIT and SIGTSTP but ignore during the database
update. We have to be careful and drop our lock if we are suspended
and then regain the lock on resume. This is necessary because the
user must not be allowed to keep a record locked for a long period
of time to avoid a DoS. We must be sure to re-lock when we resume
because otherwise an attacker could suspend us until a user starts
to login and then resume and then race the user for login using
the challenge response from the user.

Do not set handler for SIGINT and SIGQUIT to SIG_IGN since it prevents
getpass()/readpassphrase() from being able to restore the tty mode
on keyboard interrupt. Along with the recent readpassphrase.c commit
this means that if you ^C things that use login scripts (like su(1))
with a non-CBREAK shell your tty mode will be restored nicely.

TODO:
The various login scripts need to install handlers to avoid leaving
turd files or otherwise ending in a bad state. It would also be
nice to send BI_REJECT to the back channel.

getopt(3) returns -1 when out of args, not EOF.

millert@ ok

Remove instance stuff now that su uses an explicit option to specify
the invoking user.

Add an alarm to implement as timeout on the locked record.

skey login script; authenticates the user via S/Key
will be used when BSD authentication is enabled