Menu

#230 Password silently truncated to 8 chars when entered via terminal on Solaris

v1.0 (example)
open
nobody
None
5
2021-11-17
2021-08-28
Rick Sayre
No

Greetings
The tl;dr is that on Solaris/Omnios flavored machines, getpassphrase() should be used in UserInputUtils.cpp instead of getpass()

Otherwise, long entered passwords are silently truncated to 8 characters, reducing security and producing encrypted files which appear to be broken, since they don't use the password you thought they did... Long-password files encrypted on eg Linux boxes can only be successfully read when using the passed-on-commandline option, which isn't great.

From the manpage for Illumos:

       The getpassphrase() function is identical to getpass(), except that it
       reads and returns a string of up to 257 characters in length.
...
       Upon successful completion, getpass() returns a pointer to a null-
       terminated string of at most 9 bytes that were read from the terminal
       device. If an error is encountered, the terminal state is restored and
       a null pointer is returned.

In the absence of OS-specific flags available in the build environment, a gross hack which works is to add this to ALLFLAGS in the solaris makefile:

    -Dgetpass=getpassphrase \

Discussion

  • Rick Sayre

    Rick Sayre - 2021-08-29

    Perhaps a more proper patch would be appropriate; the makefile hack is meant to get 'er done for those in desperation.

    --- CPP/7zip/UI/Console/UserInputUtils.cpp-orig 2021-08-28 11:17:36.276419390 +0000
+++ CPP/7zip/UI/Console/UserInputUtils.cpp      2021-08-28 22:23:57.045170137 +0000
@@ -89,12 +89,21 @@
     outStream->Flush();
   }
 #ifdef ENV_HAVE_GETPASS
+#if defined(__sun)

+  AString oemPassword = getpassphrase("");
+#else
   AString oemPassword = getpass("");
+#endif
+
   if ( (verify) && (outStream) )
   {
     (*outStream) << "Verify password (will not be echoed) :";
     outStream->Flush();
+#if defined(__sun)
+    AString oemPassword2 = getpassphrase("");
+#else
     AString oemPassword2 = getpass("");
+#endif
     if (oemPassword != oemPassword2) throw "password verification failed";
   }
   return MultiByteToUnicodeString(oemPassword, CP_OEMCP);
     

  • Sam Tansy

    Sam Tansy - 2021-11-17

    You may want to check if it's not corrected in p7zip on github. It's unmaintained here for long time.

     

Log in to post a comment.

MongoDB Logo MongoDB