Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@

htpasswd(1) when in batch mode (-I) and 1 argument is used, or when not in
batch mode and 2 arguments are used we know we have to access argv[0] with rwc
permissions and also to rwc a temporary file in /tmp so we can unveil(2) both
argv[0] and /tmp with rwc permissions. In order to avoid adding "unveil" to
pledge(2), just call it after getopt(3).

Remaining code paths already have fs access disabled via pledge(2).

OK florian@ deraadt@

htpasswd: use crypt_newhash instead of the bcrypt API

man bcrypt states:
These functions are deprecated in favor of crypt_checkpass(3) and
crypt_newhash(3).

hence with this change we move htpasswd to the new API, while here
also change the rounds from a hardcoded 8 to automatic selection based
on system performance.

OK florian@

Make our initial pledge stricter once we figured out in which mode we
are running.
In batch mode we are only reading from stdin and writing to stdout.
If no file is specified we are reading from stdin, writing to stdout
and need to control the tty for readpassphrase.
OK deraadt@ on an earlier version some time ago.

Implement real "flock" request and add it to userland programs that
use pledge and file locking. OK deraadt@

Change all tame callers to namechange to pledge(2).

tame "stdio rpath wpath cpath tmppath tty". "tty" is the important part
here, permitting use of readpassphrase()

in getopt() blocks, stop incrementing flag variable which are supposed
to just be 0/1
ok miod florian

sf@ pointed out that the -B flag is already in use by apache's
htpasswd (since version 2.4); change it to -I. The -B flag was not in
use for a long time so this change should not cause too much trouble.
OK sf@, jmc@
no objections from sthen@
"kein problem damit" benno@

Various fixes from Tiago Cunha tcunha _AT_ gmx _DOT_ com:
- const for file and tok
- remove \n from err(3)
- typo in error message
- s/err/errx/ for functions that do not set errno
- s/fprintf(stderr,...)/warnx/

Thanks!

OK sthen, benno

missing -B in second usage line
pointed out by jmc@, thanks!

Batch mode; read exactly one line "login:unencrypted-password" from
stdin.
OK benno
man page tweak and OK sthen

Stop nagging after 5 non-bcrypt hashes
OK benno

flock password file
OK benno

move ftruncate down, lessen the chance that the file it might be left
empty. while there, fix an error msg.
ok florian

No need for \t in usage(), pointed out by sthen and should have been
in the initial commit. Sorry about that.

The correct idiom is of course the umask song and dance. Brain-fart by
me.
pointed out by deraadt
OK benno

Re-implement htpasswd from scratch. There is so much bad advice on the
internet that it's better to have a known tool in base.
Intentionally not switch compatible with the old htpasswd. The only
switch really needed would be for batch mode, but that was inherently
insecure in the old htpasswd. Batch mode will be coming shortly.
OK sthen, tedu, benno

htpasswd(1) when in batch mode (-I) and 1 argument is used, or when not in
batch mode and 2 arguments are used we know we have to access argv[0] with rwc
permissions and also to rwc a temporary file in /tmp so we can unveil(2) both
argv[0] and /tmp with rwc permissions. In order to avoid adding "unveil" to
pledge(2), just call it after getopt(3).

Remaining code paths already have fs access disabled via pledge(2).

OK florian@ deraadt@

htpasswd: use crypt_newhash instead of the bcrypt API

man bcrypt states:
These functions are deprecated in favor of crypt_checkpass(3) and
crypt_newhash(3).

hence with this change we move htpasswd to the new API, while here
also change the rounds from a hardcoded 8 to automatic selection based
on system performance.

OK florian@

Make our initial pledge stricter once we figured out in which mode we
are running.
In batch mode we are only reading from stdin and writing to stdout.
If no file is specified we are reading from stdin, writing to stdout
and need to control the tty for readpassphrase.
OK deraadt@ on an earlier version some time ago.

Implement real "flock" request and add it to userland programs that
use pledge and file locking. OK deraadt@

Change all tame callers to namechange to pledge(2).

tame "stdio rpath wpath cpath tmppath tty". "tty" is the important part
here, permitting use of readpassphrase()

in getopt() blocks, stop incrementing flag variable which are supposed
to just be 0/1
ok miod florian

sf@ pointed out that the -B flag is already in use by apache's
htpasswd (since version 2.4); change it to -I. The -B flag was not in
use for a long time so this change should not cause too much trouble.
OK sf@, jmc@
no objections from sthen@
"kein problem damit" benno@

Various fixes from Tiago Cunha tcunha _AT_ gmx _DOT_ com:
- const for file and tok
- remove \n from err(3)
- typo in error message
- s/err/errx/ for functions that do not set errno
- s/fprintf(stderr,...)/warnx/

Thanks!

OK sthen, benno

missing -B in second usage line
pointed out by jmc@, thanks!

Batch mode; read exactly one line "login:unencrypted-password" from
stdin.
OK benno
man page tweak and OK sthen

Stop nagging after 5 non-bcrypt hashes
OK benno

flock password file
OK benno

move ftruncate down, lessen the chance that the file it might be left
empty. while there, fix an error msg.
ok florian

No need for \t in usage(), pointed out by sthen and should have been
in the initial commit. Sorry about that.

The correct idiom is of course the umask song and dance. Brain-fart by
me.
pointed out by deraadt
OK benno

Re-implement htpasswd from scratch. There is so much bad advice on the
internet that it's better to have a known tool in base.
Intentionally not switch compatible with the old htpasswd. The only
switch really needed would be for batch mode, but that was inherently
insecure in the old htpasswd. Batch mode will be coming shortly.
OK sthen, tedu, benno

htpasswd: use crypt_newhash instead of the bcrypt API

man bcrypt states:
These functions are deprecated in favor of crypt_checkpass(3) and
crypt_newhash(3).

hence with this change we move htpasswd to the new API, while here
also change the rounds from a hardcoded 8 to automatic selection based
on system performance.

OK florian@

Make our initial pledge stricter once we figured out in which mode we
are running.
In batch mode we are only reading from stdin and writing to stdout.
If no file is specified we are reading from stdin, writing to stdout
and need to control the tty for readpassphrase.
OK deraadt@ on an earlier version some time ago.

Implement real "flock" request and add it to userland programs that
use pledge and file locking. OK deraadt@

Change all tame callers to namechange to pledge(2).

tame "stdio rpath wpath cpath tmppath tty". "tty" is the important part
here, permitting use of readpassphrase()

in getopt() blocks, stop incrementing flag variable which are supposed
to just be 0/1
ok miod florian

sf@ pointed out that the -B flag is already in use by apache's
htpasswd (since version 2.4); change it to -I. The -B flag was not in
use for a long time so this change should not cause too much trouble.
OK sf@, jmc@
no objections from sthen@
"kein problem damit" benno@

Various fixes from Tiago Cunha tcunha _AT_ gmx _DOT_ com:
- const for file and tok
- remove \n from err(3)
- typo in error message
- s/err/errx/ for functions that do not set errno
- s/fprintf(stderr,...)/warnx/

Thanks!

OK sthen, benno

missing -B in second usage line
pointed out by jmc@, thanks!

Batch mode; read exactly one line "login:unencrypted-password" from
stdin.
OK benno
man page tweak and OK sthen

Stop nagging after 5 non-bcrypt hashes
OK benno

flock password file
OK benno

move ftruncate down, lessen the chance that the file it might be left
empty. while there, fix an error msg.
ok florian

No need for \t in usage(), pointed out by sthen and should have been
in the initial commit. Sorry about that.

The correct idiom is of course the umask song and dance. Brain-fart by
me.
pointed out by deraadt
OK benno

Re-implement htpasswd from scratch. There is so much bad advice on the
internet that it's better to have a known tool in base.
Intentionally not switch compatible with the old htpasswd. The only
switch really needed would be for batch mode, but that was inherently
insecure in the old htpasswd. Batch mode will be coming shortly.
OK sthen, tedu, benno