int main(int argc, char *argv[]) { int attempts = 0; char *password; while (attempts++ < 3 && !loggedin) { password = getpass_r("Password: "******"0xDEADBEEF") == 0) /* FLAW */ { loggedin = true; printf("Logged in\n"); } else printf("Wrong password\n"); my_memset_s(password, 0, strlen(password)); free(password); } } return 0; }
APR_DECLARE(apr_status_t) apr_password_get(const char *prompt, char *pwbuf, apr_size_t *bufsiz) { apr_status_t rv = APR_SUCCESS; #if defined(HAVE_GETPASS_R) if (getpass_r(prompt, pwbuf, *bufsiz) == NULL) return APR_EINVAL; #else #if defined(HAVE_GETPASSPHRASE) char *pw_got = getpassphrase(prompt); #elif defined(HAVE_GETPASS) char *pw_got = getpass(prompt); #else /* use the replacement implementation above */ char *pw_got = get_password(prompt); #endif if (!pw_got) return APR_EINVAL; if (strlen(pw_got) >= *bufsiz) { rv = APR_ENAMETOOLONG; } apr_cpystrn(pwbuf, pw_got, *bufsiz); memset(pw_got, 0, strlen(pw_got)); #endif /* HAVE_GETPASS_R */ return rv; }
static CURLcode checkpasswd(const char *kind, /* for what purpose */ const size_t i, /* operation index */ const bool last, /* TRUE if last operation */ char **userpwd) /* pointer to allocated string */ { char *psep; char *osep; if(!*userpwd) return CURLE_OK; /* Attempt to find the password separator */ psep = strchr(*userpwd, ':'); /* Attempt to find the options separator */ osep = strchr(*userpwd, ';'); if(!psep && **userpwd != ';') { /* no password present, prompt for one */ char passwd[256] = ""; char prompt[256]; size_t passwdlen; size_t userlen = strlen(*userpwd); char *passptr; if(osep) *osep = '\0'; /* build a nice-looking prompt */ if(!i && last) curlx_msnprintf(prompt, sizeof(prompt), "Enter %s password for user '%s':", kind, *userpwd); else curlx_msnprintf(prompt, sizeof(prompt), "Enter %s password for user '%s' on URL #%zu:", kind, *userpwd, i + 1); /* get password */ getpass_r(prompt, passwd, sizeof(passwd)); passwdlen = strlen(passwd); if(osep) *osep = ';'; /* extend the allocated memory area to fit the password too */ passptr = realloc(*userpwd, passwdlen + 1 + /* an extra for the colon */ userlen + 1); /* an extra for the zero */ if(!passptr) return CURLE_OUT_OF_MEMORY; /* append the password separated with a colon */ passptr[userlen] = ':'; memcpy(&passptr[userlen + 1], passwd, passwdlen + 1); *userpwd = passptr; } return CURLE_OK; }
ParameterError checkpasswd(const char *kind, /* for what purpose */ char **userpwd) /* pointer to allocated string */ { char *psep; char *osep; if(!*userpwd) return PARAM_OK; /* Attempt to find the password separator */ psep = strchr(*userpwd, ':'); /* Attempt to find the options separator */ osep = strchr(*userpwd, ';'); if(!psep && **userpwd != ';') { /* no password present, prompt for one */ char passwd[256] = ""; char prompt[256]; size_t passwdlen; size_t userlen = strlen(*userpwd); char *passptr; if(osep) *osep = '\0'; /* build a nice-looking prompt */ curlx_msnprintf(prompt, sizeof(prompt), "Enter %s password for user '%s':", kind, *userpwd); /* get password */ getpass_r(prompt, passwd, sizeof(passwd)); passwdlen = strlen(passwd); if(osep) *osep = ';'; /* extend the allocated memory area to fit the password too */ passptr = realloc(*userpwd, passwdlen + 1 + /* an extra for the colon */ userlen + 1); /* an extra for the zero */ if(!passptr) return PARAM_NO_MEM; /* append the password separated with a colon */ passptr[userlen] = ':'; memcpy(&passptr[userlen+1], passwd, passwdlen+1); *userpwd = passptr; } return PARAM_OK; }
void test(void) { char *password = getpass_r("Password: "******"Mew!")) /* FLAW */ { my_memset_s(password, 0, strlen(password)); free(password); printf("Incorrect Password!\n"); return; } my_memset_s(password, 0, strlen(password)); free(password); } printf("Entering Diagnostic Mode...\n"); }
int main(int argc, char *argv[]) { unsigned int u; char *password; struct { char *name; uid_t uid; char *password; } users[2]; users[0].name = "mark"; users[0].password = "******"; users[1].name = "mel"; users[1].password = "******"; for (u = 0; u < sizeof(users) / sizeof(*users); ++u) { fprintf(stderr, "Username: %s\n", users[u].name); password = getpass_r("Password: "******"Logged in\nWelcome %s!\n", users[u].name); free(password); break; } free(password); } } return 0; }