From 6cbce81df97a16363c46cbd1e8202c3b4f0a2205 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 19 Jan 2025 21:23:54 +0100
Subject: [PATCH] lib/encrypt.c: Do not exit in error case

If crypt fails, pw_encrypt calls exit. This has the consequence that the
plaintext password is not cleared.

A valid password can fail if the underlying library does not support it.
One such example is SHA512, for which the password must not be longer
than 256 characters on musl. A password longer than this with glibc
works, so it is actually possible that a user, running passwd, tries to
enter the old password but the musl-based passwd binary simply exits.
Let passwd clear the password before exiting.

Reviewed-by: Alejandro Colomar <alx@kernel.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
 lib/encrypt.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/encrypt.c b/lib/encrypt.c
index c84a2552..9c1cb406 100644
--- a/lib/encrypt.c
+++ b/lib/encrypt.c
@@ -65,7 +65,8 @@
 		(void) fprintf (shadow_logfd,
 		                _("crypt method not supported by libcrypt? (%s)\n"),
 		                method);
-		exit (EXIT_FAILURE);
+		errno = EINVAL;
+		return NULL;
 	}
 
 	if (strlen (cp) != 13) {
-- 
2.33.0