unveil _PATH_LOGIN_CONF_D

Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@

correct some unveil(2) violations due to "login.conf.db" access (the .db version
of "login.conf"), and stat(2) on _PATH_MASTERPASSWD_LOCK (via pw_mkdb(3)).

problem initially noted by myself for passwd(1)
millert@ reported similar problem on chpass(1), su(1), doas(1) and encrypt(1)
mestre@ noted chpass(1) too

ok mestre@ millert@

The first unveil userland commit!

unveil _PATH_LOGIN_CONF (/etc/login.conf) which is used by
login_getclass(3) and family before doing password encode. This
is the only filename used by the program during runtime, everything
else happens on stdin/stdout.

This does not need pledge "wpath"

Use freezero instead of explicit_bzero+free

OK tb@

Use the safe idiom of cleaning sensitive data from memory with explicit_bzero,
instead of relying on other methods, after readpassphrase. Some programs on
this diff won't benefit that much since it happens near the terminal path, but
someone might copy the unsafe idiom to another program and place it where it
may leak sensitive data.

Discussed aeons ago with tb@, OK deraadt@ and beck@

usage() is static and __dead; add prototype for print_passwd;
return instead of exit from main

_PASSWORD_LEN is length that comes out of crypt(), not a meaningful
length for user entered passwords. And the +1 is just superstitious
nonsense inherited from getpass() guts.
Switch to a pleasing fixed size of 1024.
ok millert

convert getpass to readpassphrase. from Dimitris Papastamos

encrypt(1) also needs to pledge "wpath" for getpass().

getpass() opens /dev/tty RW so it can write the prompt.

ok deraadt@

pledge "stdio rpath tty". rpath for the configuration reading done by
login* subsystem, tty for readpassphase()
ok beck

Wrap a long line. Use explicit_bzero. Fix comment describing extra.
From Andre Smagin
Also, should be safe to print errno from newhash() now.
ok millert

increase prefbuf size so that 'encrypt -b 000000000000000000000012' works.
noticed by Andre Smagin.
also check snprintf for overflow so we get better error messages if
somebody decides to pad with even more zeroes, and avoid possible
truncations.

remove unused variable

ok tedu@

encrypt can use the scrypt scaling code in libc now via crypt_newhash

fix -b a mode, spotted by rpe

impose some limits on the ideal rounds so nothing too crazy happens when
the clock results are weird

simplify. bcrypt only support and use newer libc APIs. no makekey emul.
ok deraadt
schwarze is a little sad to see the last 1/8 shared man page go, but we
have a support program in place, called the attic.

hoist blowfish up and use bcrypt_newhash directly

remove -m from usage();

kill md5 support, broken since May
ok tedu@

simpler prototype repairs

allow auto scaling bcrypt rounds by CPU power.
ok deraadt jmc sthen

Don't trim whitespace from stdin. Encrypt it the same as other
input sources. Feedback and fixes from ray@ and fgsch@.

ok millert@ (six years ago) ray@ fgsch@

use strtonum; ok millert@

remove some bogus *p tests from charles longeau
ok deraadt millert

tidy up synopsis and usage(); from Igor Sobrado

There is no need to trim an empty string any further, just return
it.

OK moritz@.

Handle crypt(3) returning NULL. Found by Gustavo C. Pereira.

ok deraadt@

oops, to64() is shared.

passwd.conf has been deprecated since login.conf was imported.
Today it finally dies. Based on a diff from Gabriel Kihlman.

Check getpass(3) return value. From Jared Yanovich <jjy2+ at pitt dot edu>

ok henning@

protos

Add a "-c class" option to specify that the given login class should
be used to find the cipher to user.

strlcpy

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

KNF + some ANSIfication

Call pwd_gensalt() with the correct args and reference login.conf
in man page; hideishi@magisystem.net

allow prompt to be specified anywhere on the command line, make it work
with md5. prohibit makekey mode and prompt.

seperate -> separate, okay aaron@

proto bcrypt_gensalt()

include ctype.h for isspace() and fix some declarations

Add -p flag, prompt for a string with echo off.

Use fprintf/exit in place of errx for usage display.

add <stdlib.h> for atoi(), free(), etc.

(foo *)NULL -> NULL

blowfish + passwd.conf support. fixed md5 salt.

Fix core dump.

Add an old makekey(8) mode.

Slightly cleaner.

encrypt(1), little utility for encrypting passwords from the command line.

Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@

correct some unveil(2) violations due to "login.conf.db" access (the .db version
of "login.conf"), and stat(2) on _PATH_MASTERPASSWD_LOCK (via pw_mkdb(3)).

problem initially noted by myself for passwd(1)
millert@ reported similar problem on chpass(1), su(1), doas(1) and encrypt(1)
mestre@ noted chpass(1) too

ok mestre@ millert@

The first unveil userland commit!

unveil _PATH_LOGIN_CONF (/etc/login.conf) which is used by
login_getclass(3) and family before doing password encode. This
is the only filename used by the program during runtime, everything
else happens on stdin/stdout.

This does not need pledge "wpath"

Use freezero instead of explicit_bzero+free

OK tb@

Use the safe idiom of cleaning sensitive data from memory with explicit_bzero,
instead of relying on other methods, after readpassphrase. Some programs on
this diff won't benefit that much since it happens near the terminal path, but
someone might copy the unsafe idiom to another program and place it where it
may leak sensitive data.

Discussed aeons ago with tb@, OK deraadt@ and beck@

usage() is static and __dead; add prototype for print_passwd;
return instead of exit from main

_PASSWORD_LEN is length that comes out of crypt(), not a meaningful
length for user entered passwords. And the +1 is just superstitious
nonsense inherited from getpass() guts.
Switch to a pleasing fixed size of 1024.
ok millert

convert getpass to readpassphrase. from Dimitris Papastamos

encrypt(1) also needs to pledge "wpath" for getpass().

getpass() opens /dev/tty RW so it can write the prompt.

ok deraadt@

pledge "stdio rpath tty". rpath for the configuration reading done by
login* subsystem, tty for readpassphase()
ok beck

Wrap a long line. Use explicit_bzero. Fix comment describing extra.
From Andre Smagin
Also, should be safe to print errno from newhash() now.
ok millert

increase prefbuf size so that 'encrypt -b 000000000000000000000012' works.
noticed by Andre Smagin.
also check snprintf for overflow so we get better error messages if
somebody decides to pad with even more zeroes, and avoid possible
truncations.

remove unused variable

ok tedu@

encrypt can use the scrypt scaling code in libc now via crypt_newhash

fix -b a mode, spotted by rpe

impose some limits on the ideal rounds so nothing too crazy happens when
the clock results are weird

simplify. bcrypt only support and use newer libc APIs. no makekey emul.
ok deraadt
schwarze is a little sad to see the last 1/8 shared man page go, but we
have a support program in place, called the attic.

hoist blowfish up and use bcrypt_newhash directly

remove -m from usage();

kill md5 support, broken since May
ok tedu@

simpler prototype repairs

allow auto scaling bcrypt rounds by CPU power.
ok deraadt jmc sthen

Don't trim whitespace from stdin. Encrypt it the same as other
input sources. Feedback and fixes from ray@ and fgsch@.

ok millert@ (six years ago) ray@ fgsch@

use strtonum; ok millert@

remove some bogus *p tests from charles longeau
ok deraadt millert

tidy up synopsis and usage(); from Igor Sobrado

There is no need to trim an empty string any further, just return
it.

OK moritz@.

Handle crypt(3) returning NULL. Found by Gustavo C. Pereira.

ok deraadt@

oops, to64() is shared.

passwd.conf has been deprecated since login.conf was imported.
Today it finally dies. Based on a diff from Gabriel Kihlman.

Check getpass(3) return value. From Jared Yanovich <jjy2+ at pitt dot edu>

ok henning@

protos

Add a "-c class" option to specify that the given login class should
be used to find the cipher to user.

strlcpy

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

KNF + some ANSIfication

Call pwd_gensalt() with the correct args and reference login.conf
in man page; hideishi@magisystem.net

allow prompt to be specified anywhere on the command line, make it work
with md5. prohibit makekey mode and prompt.

seperate -> separate, okay aaron@

proto bcrypt_gensalt()

include ctype.h for isspace() and fix some declarations

Add -p flag, prompt for a string with echo off.

Use fprintf/exit in place of errx for usage display.

add <stdlib.h> for atoi(), free(), etc.

(foo *)NULL -> NULL

blowfish + passwd.conf support. fixed md5 salt.

Fix core dump.

Add an old makekey(8) mode.

Slightly cleaner.

encrypt(1), little utility for encrypting passwords from the command line.

correct some unveil(2) violations due to "login.conf.db" access (the .db version
of "login.conf"), and stat(2) on _PATH_MASTERPASSWD_LOCK (via pw_mkdb(3)).

problem initially noted by myself for passwd(1)
millert@ reported similar problem on chpass(1), su(1), doas(1) and encrypt(1)
mestre@ noted chpass(1) too

ok mestre@ millert@

The first unveil userland commit!

unveil _PATH_LOGIN_CONF (/etc/login.conf) which is used by
login_getclass(3) and family before doing password encode. This
is the only filename used by the program during runtime, everything
else happens on stdin/stdout.

This does not need pledge "wpath"

Use freezero instead of explicit_bzero+free

OK tb@

Use the safe idiom of cleaning sensitive data from memory with explicit_bzero,
instead of relying on other methods, after readpassphrase. Some programs on
this diff won't benefit that much since it happens near the terminal path, but
someone might copy the unsafe idiom to another program and place it where it
may leak sensitive data.

Discussed aeons ago with tb@, OK deraadt@ and beck@

usage() is static and __dead; add prototype for print_passwd;
return instead of exit from main

_PASSWORD_LEN is length that comes out of crypt(), not a meaningful
length for user entered passwords. And the +1 is just superstitious
nonsense inherited from getpass() guts.
Switch to a pleasing fixed size of 1024.
ok millert

convert getpass to readpassphrase. from Dimitris Papastamos

encrypt(1) also needs to pledge "wpath" for getpass().

getpass() opens /dev/tty RW so it can write the prompt.

ok deraadt@

pledge "stdio rpath tty". rpath for the configuration reading done by
login* subsystem, tty for readpassphase()
ok beck

Wrap a long line. Use explicit_bzero. Fix comment describing extra.
From Andre Smagin
Also, should be safe to print errno from newhash() now.
ok millert

increase prefbuf size so that 'encrypt -b 000000000000000000000012' works.
noticed by Andre Smagin.
also check snprintf for overflow so we get better error messages if
somebody decides to pad with even more zeroes, and avoid possible
truncations.

remove unused variable

ok tedu@

encrypt can use the scrypt scaling code in libc now via crypt_newhash

fix -b a mode, spotted by rpe

impose some limits on the ideal rounds so nothing too crazy happens when
the clock results are weird

simplify. bcrypt only support and use newer libc APIs. no makekey emul.
ok deraadt
schwarze is a little sad to see the last 1/8 shared man page go, but we
have a support program in place, called the attic.

hoist blowfish up and use bcrypt_newhash directly

remove -m from usage();

kill md5 support, broken since May
ok tedu@

simpler prototype repairs

allow auto scaling bcrypt rounds by CPU power.
ok deraadt jmc sthen

Don't trim whitespace from stdin. Encrypt it the same as other
input sources. Feedback and fixes from ray@ and fgsch@.

ok millert@ (six years ago) ray@ fgsch@

use strtonum; ok millert@

remove some bogus *p tests from charles longeau
ok deraadt millert

tidy up synopsis and usage(); from Igor Sobrado

There is no need to trim an empty string any further, just return
it.

OK moritz@.

Handle crypt(3) returning NULL. Found by Gustavo C. Pereira.

ok deraadt@

oops, to64() is shared.

passwd.conf has been deprecated since login.conf was imported.
Today it finally dies. Based on a diff from Gabriel Kihlman.

Check getpass(3) return value. From Jared Yanovich <jjy2+ at pitt dot edu>

ok henning@

protos

Add a "-c class" option to specify that the given login class should
be used to find the cipher to user.

strlcpy

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

KNF + some ANSIfication

Call pwd_gensalt() with the correct args and reference login.conf
in man page; hideishi@magisystem.net

allow prompt to be specified anywhere on the command line, make it work
with md5. prohibit makekey mode and prompt.

seperate -> separate, okay aaron@

proto bcrypt_gensalt()

include ctype.h for isspace() and fix some declarations

Add -p flag, prompt for a string with echo off.

Use fprintf/exit in place of errx for usage display.

add <stdlib.h> for atoi(), free(), etc.

(foo *)NULL -> NULL

blowfish + passwd.conf support. fixed md5 salt.

Fix core dump.

Add an old makekey(8) mode.

Slightly cleaner.

encrypt(1), little utility for encrypting passwords from the command line.

The first unveil userland commit!

unveil _PATH_LOGIN_CONF (/etc/login.conf) which is used by
login_getclass(3) and family before doing password encode. This
is the only filename used by the program during runtime, everything
else happens on stdin/stdout.

This does not need pledge "wpath"

Use freezero instead of explicit_bzero+free

OK tb@

Use the safe idiom of cleaning sensitive data from memory with explicit_bzero,
instead of relying on other methods, after readpassphrase. Some programs on
this diff won't benefit that much since it happens near the terminal path, but
someone might copy the unsafe idiom to another program and place it where it
may leak sensitive data.

Discussed aeons ago with tb@, OK deraadt@ and beck@

usage() is static and __dead; add prototype for print_passwd;
return instead of exit from main

_PASSWORD_LEN is length that comes out of crypt(), not a meaningful
length for user entered passwords. And the +1 is just superstitious
nonsense inherited from getpass() guts.
Switch to a pleasing fixed size of 1024.
ok millert

convert getpass to readpassphrase. from Dimitris Papastamos

encrypt(1) also needs to pledge "wpath" for getpass().

getpass() opens /dev/tty RW so it can write the prompt.

ok deraadt@

pledge "stdio rpath tty". rpath for the configuration reading done by
login* subsystem, tty for readpassphase()
ok beck

Wrap a long line. Use explicit_bzero. Fix comment describing extra.
From Andre Smagin
Also, should be safe to print errno from newhash() now.
ok millert

increase prefbuf size so that 'encrypt -b 000000000000000000000012' works.
noticed by Andre Smagin.
also check snprintf for overflow so we get better error messages if
somebody decides to pad with even more zeroes, and avoid possible
truncations.

remove unused variable

ok tedu@

encrypt can use the scrypt scaling code in libc now via crypt_newhash

fix -b a mode, spotted by rpe

impose some limits on the ideal rounds so nothing too crazy happens when
the clock results are weird

simplify. bcrypt only support and use newer libc APIs. no makekey emul.
ok deraadt
schwarze is a little sad to see the last 1/8 shared man page go, but we
have a support program in place, called the attic.

hoist blowfish up and use bcrypt_newhash directly

remove -m from usage();

kill md5 support, broken since May
ok tedu@

simpler prototype repairs

allow auto scaling bcrypt rounds by CPU power.
ok deraadt jmc sthen

Don't trim whitespace from stdin. Encrypt it the same as other
input sources. Feedback and fixes from ray@ and fgsch@.

ok millert@ (six years ago) ray@ fgsch@

use strtonum; ok millert@

remove some bogus *p tests from charles longeau
ok deraadt millert

tidy up synopsis and usage(); from Igor Sobrado

There is no need to trim an empty string any further, just return
it.

OK moritz@.

Handle crypt(3) returning NULL. Found by Gustavo C. Pereira.

ok deraadt@

oops, to64() is shared.

passwd.conf has been deprecated since login.conf was imported.
Today it finally dies. Based on a diff from Gabriel Kihlman.

Check getpass(3) return value. From Jared Yanovich <jjy2+ at pitt dot edu>

ok henning@

protos

Add a "-c class" option to specify that the given login class should
be used to find the cipher to user.

strlcpy

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

KNF + some ANSIfication

Call pwd_gensalt() with the correct args and reference login.conf
in man page; hideishi@magisystem.net

allow prompt to be specified anywhere on the command line, make it work
with md5. prohibit makekey mode and prompt.

seperate -> separate, okay aaron@

proto bcrypt_gensalt()

include ctype.h for isspace() and fix some declarations

Add -p flag, prompt for a string with echo off.

Use fprintf/exit in place of errx for usage display.

add <stdlib.h> for atoi(), free(), etc.

(foo *)NULL -> NULL

blowfish + passwd.conf support. fixed md5 salt.

Fix core dump.

Add an old makekey(8) mode.

Slightly cleaner.

encrypt(1), little utility for encrypting passwords from the command line.

Use freezero instead of explicit_bzero+free

OK tb@

Use the safe idiom of cleaning sensitive data from memory with explicit_bzero,
instead of relying on other methods, after readpassphrase. Some programs on
this diff won't benefit that much since it happens near the terminal path, but
someone might copy the unsafe idiom to another program and place it where it
may leak sensitive data.

Discussed aeons ago with tb@, OK deraadt@ and beck@

usage() is static and __dead; add prototype for print_passwd;
return instead of exit from main

_PASSWORD_LEN is length that comes out of crypt(), not a meaningful
length for user entered passwords. And the +1 is just superstitious
nonsense inherited from getpass() guts.
Switch to a pleasing fixed size of 1024.
ok millert

convert getpass to readpassphrase. from Dimitris Papastamos

encrypt(1) also needs to pledge "wpath" for getpass().

getpass() opens /dev/tty RW so it can write the prompt.

ok deraadt@

pledge "stdio rpath tty". rpath for the configuration reading done by
login* subsystem, tty for readpassphase()
ok beck

Wrap a long line. Use explicit_bzero. Fix comment describing extra.
From Andre Smagin
Also, should be safe to print errno from newhash() now.
ok millert

increase prefbuf size so that 'encrypt -b 000000000000000000000012' works.
noticed by Andre Smagin.
also check snprintf for overflow so we get better error messages if
somebody decides to pad with even more zeroes, and avoid possible
truncations.

remove unused variable

ok tedu@

encrypt can use the scrypt scaling code in libc now via crypt_newhash

fix -b a mode, spotted by rpe

impose some limits on the ideal rounds so nothing too crazy happens when
the clock results are weird

simplify. bcrypt only support and use newer libc APIs. no makekey emul.
ok deraadt
schwarze is a little sad to see the last 1/8 shared man page go, but we
have a support program in place, called the attic.

hoist blowfish up and use bcrypt_newhash directly

remove -m from usage();

kill md5 support, broken since May
ok tedu@

simpler prototype repairs

allow auto scaling bcrypt rounds by CPU power.
ok deraadt jmc sthen

Don't trim whitespace from stdin. Encrypt it the same as other
input sources. Feedback and fixes from ray@ and fgsch@.

ok millert@ (six years ago) ray@ fgsch@

use strtonum; ok millert@

remove some bogus *p tests from charles longeau
ok deraadt millert

tidy up synopsis and usage(); from Igor Sobrado

There is no need to trim an empty string any further, just return
it.

OK moritz@.

Handle crypt(3) returning NULL. Found by Gustavo C. Pereira.

ok deraadt@

oops, to64() is shared.

passwd.conf has been deprecated since login.conf was imported.
Today it finally dies. Based on a diff from Gabriel Kihlman.

Check getpass(3) return value. From Jared Yanovich <jjy2+ at pitt dot edu>

ok henning@

protos

Add a "-c class" option to specify that the given login class should
be used to find the cipher to user.

strlcpy

Part one of userland __P removal. Done with a simple regexp with some minor hand editing to make comments line up correctly. Another pass is forthcoming that handles the cases that could not be done automatically.

KNF + some ANSIfication

Call pwd_gensalt() with the correct args and reference login.conf
in man page; hideishi@magisystem.net

allow prompt to be specified anywhere on the command line, make it work
with md5. prohibit makekey mode and prompt.

seperate -> separate, okay aaron@

proto bcrypt_gensalt()

include ctype.h for isspace() and fix some declarations

Add -p flag, prompt for a string with echo off.

Use fprintf/exit in place of errx for usage display.

add <stdlib.h> for atoi(), free(), etc.

(foo *)NULL -> NULL

blowfish + passwd.conf support. fixed md5 salt.

Fix core dump.

Add an old makekey(8) mode.

Slightly cleaner.

encrypt(1), little utility for encrypting passwords from the command line.