int keyring_erase(struct credential *c)
{
char *object = NULL;
GList *entries;
GnomeKeyringNetworkPasswordData *password_data;
GnomeKeyringResult result;
/*
* Sanity check that we actually have something to match
* against. The input we get is a restrictive pattern,
* so technically a blank credential means "erase everything".
* But it is too easy to accidentally send this, since it is equivalent
* to empty input. So explicitly disallow it, and require that the
* pattern have some actual content to match.
*/
if (!c->protocol && !c->host && !c->path && !c->username)
return EXIT_FAILURE;
object = keyring_object(c);
result = gnome_keyring_find_network_password_sync(
c->username,
NULL /* domain */,
c->host,
object,
c->protocol,
NULL /* authtype */,
c->port,
&entries);
free(object);
if (result == GNOME_KEYRING_RESULT_NO_MATCH)
return EXIT_SUCCESS;
if (result == GNOME_KEYRING_RESULT_CANCELLED)
return EXIT_SUCCESS;
if (result != GNOME_KEYRING_RESULT_OK)
{
error("%s",gnome_keyring_result_to_message(result));
return EXIT_FAILURE;
}
/* pick the first one from the list (delete all matches?) */
password_data = (GnomeKeyringNetworkPasswordData *) entries->data;
result = gnome_keyring_item_delete_sync(
password_data->keyring, password_data->item_id);
gnome_keyring_network_password_list_free(entries);
if (result != GNOME_KEYRING_RESULT_OK)
{
error("%s",gnome_keyring_result_to_message(result));
return EXIT_FAILURE;
}
return EXIT_SUCCESS;
}
int
main (int argc, char **argv)
{
GnomeKeyringResult res;
g_test_init (&argc, &argv, NULL);
g_set_prgname ("frob-unlock-keyring");
if (argc < 2) {
g_printerr ("specify keyring to unlock\n");
return 2;
}
res = gnome_keyring_unlock_sync (argv[1], NULL);
if (res == GNOME_KEYRING_RESULT_OK) {
g_printerr ("ok\n");
return 0;
} else if (res == GNOME_KEYRING_RESULT_CANCELLED) {
g_printerr ("cancel\n");
return 0;
} else {
g_printerr ("failed: %s\n", gnome_keyring_result_to_message (res));
return 1;
}
}
static int
store_password(jaro_credential_t *cred)
{
gchar desc[1024];
GnomeKeyringResult keyres;
/* Only store complete credentials */
if (!cred->protocol || !cred->host ||
!cred->username || !cred->password)
return 1;
g_snprintf(desc, sizeof(desc), "%s %s", cred->protocol, cred->host);
keyres = gnome_keyring_store_password_sync(&jaro_schema,
GNOME_KEYRING_DEFAULT,
desc,
cred->password,
"protocol", cred->protocol,
"host", cred->host,
"path", cred->path,
"username", cred->username,
NULL);
if (keyres != GNOME_KEYRING_RESULT_OK) {
error("failed to store password: %s", gnome_keyring_result_to_message(keyres));
return 1;
}
return 0;
}
/*
* Callback from the keyring lookup in refresh_credentials.
*/
static void
found_password_cb (GnomeKeyringResult result,
GList *list,
gpointer user_data)
{
SwService *service = SW_SERVICE (user_data);
SwServiceLastfm *lastfm = SW_SERVICE_LASTFM (service);
SwServiceLastfmPrivate *priv = lastfm->priv;
if (result == GNOME_KEYRING_RESULT_OK && list != NULL) {
GnomeKeyringNetworkPasswordData *data = list->data;
g_free (priv->username);
priv->username = g_strdup (data->user);
} else {
g_free (priv->username);
priv->username = NULL;
if (result != GNOME_KEYRING_RESULT_NO_MATCH) {
g_warning (G_STRLOC ": Error getting password: %s", gnome_keyring_result_to_message (result));
}
}
sw_service_emit_user_changed (service);
sw_service_emit_capabilities_changed (service, get_dynamic_caps (service));
}
void gnc_keyring_set_password (const gchar *access_method,
const gchar *server,
guint32 port,
const gchar *service,
const gchar *user,
const gchar* password)
{
#ifdef HAVE_GNOME_KEYRING
GnomeKeyringResult gkr_result;
guint32 item_id = 0;
gkr_result = gnome_keyring_set_network_password_sync
(NULL, user, NULL, server, service,
access_method, NULL, port, password, &item_id);
if (gkr_result != GNOME_KEYRING_RESULT_OK)
{
PWARN ("Gnome-keyring error: %s",
gnome_keyring_result_to_message(gkr_result));
PWARN ("The user will be prompted for a password again next time.");
}
#endif /* HAVE_GNOME_KEYRING */
#ifdef HAVE_OSX_KEYCHAIN
OSStatus status;
SecKeychainItemRef *itemRef = NULL;
/* mysql and postgres aren't valid protocols on Mac OS X.
* So we use the security domain parameter to allow us to
* distinguish between these two.
*/
// FIXME I'm not sure this works if a password was already in the keychain
// I may have to do a lookup first and if it exists, run some update
// update function instead
status = SecKeychainAddInternetPassword ( NULL, /* keychain */
strlen(server), server, /* servername */
strlen(access_method), access_method, /* securitydomain */
strlen(user), user, /* acountname */
strlen(service), service, /* path */
port, /* port */
kSecProtocolTypeAny, /* protocol */
kSecAuthenticationTypeDefault, /* auth type */
strlen(password), password, /* passworddata */
itemRef );
if ( status != noErr )
{
CFStringRef osx_resultstring = SecCopyErrorMessageString( status, NULL );
const gchar *resultstring = CFStringGetCStringPtr(osx_resultstring,
GetApplicationTextEncoding());
PWARN ( "OS X keychain error: %s", resultstring );
PWARN ( "The user will be prompted for a password again next time." );
CFRelease ( osx_resultstring );
}
#endif /* HAVE_OSX_KEYCHAIN */
}
static GnomeKeyringOperationGetIntCallback
stored_password (GnomeKeyringResult res, guint32 val, widgets *data)
{
/* user_data will be the same as was passed to gnome_keyring_store_password() */
if (res != GNOME_KEYRING_RESULT_OK)
{
gtk_image_set_from_stock(GTK_IMAGE(data->image_credentials), "gtk-stop", GTK_ICON_SIZE_BUTTON);
gtk_label_set_label(GTK_LABEL(data->label_credentials), gnome_keyring_result_to_message (res));
}
}
int keyring_get(struct credential *c)
{
char* object = NULL;
GList *entries;
GnomeKeyringNetworkPasswordData *password_data;
GnomeKeyringResult result;
if (!c->protocol || !(c->host || c->path))
return EXIT_FAILURE;
object = keyring_object(c);
result = gnome_keyring_find_network_password_sync(
c->username,
NULL /* domain */,
c->host,
object,
c->protocol,
NULL /* authtype */,
c->port,
&entries);
free(object);
if (result == GNOME_KEYRING_RESULT_NO_MATCH)
return EXIT_SUCCESS;
if (result == GNOME_KEYRING_RESULT_CANCELLED)
return EXIT_SUCCESS;
if (result != GNOME_KEYRING_RESULT_OK) {
error("%s",gnome_keyring_result_to_message(result));
return EXIT_FAILURE;
}
/* pick the first one from the list */
password_data = (GnomeKeyringNetworkPasswordData *) entries->data;
free_password(c->password);
c->password = xstrdup(password_data->password);
if (!c->username)
c->username = xstrdup(password_data->user);
gnome_keyring_network_password_list_free(entries);
return EXIT_SUCCESS;
}
// static
bool OTKeyring::Gnome_StoreSecret(const OTString& strUser,
const OTPassword& thePassword,
const std::string& str_display)
{
OT_ASSERT(strUser.Exists());
OT_ASSERT(thePassword.getMemorySize() > 0);
OTData theData(thePassword.getMemory(), thePassword.getMemorySize());
OTASCIIArmor ascData(theData);
theData.zeroMemory(); // security reasons.
OTString strOutput;
const bool bSuccess =
ascData.Exists() &&
ascData.WriteArmoredString(strOutput, "DERIVED KEY"); // There's no
// default, to
// force you to
// enter the right
// string.
ascData.zeroMemory();
GnomeKeyringResult theResult = GNOME_KEYRING_RESULT_IO_ERROR;
if (bSuccess && strOutput.Exists()) {
theResult = gnome_keyring_store_password_sync(
GNOME_KEYRING_NETWORK_PASSWORD,
GNOME_KEYRING_DEFAULT, // GNOME_KEYRING_SESSION,
str_display.c_str(), strOutput.Get(), "user", strUser.Get(),
"protocol", "opentxs", // todo: hardcoding.
nullptr);
strOutput.zeroMemory();
bool bResult = false;
if (theResult == GNOME_KEYRING_RESULT_OK)
bResult = true;
else
otErr << "OTKeyring::Gnome_StoreSecret: "
<< "Failure in gnome_keyring_store_password_sync: "
<< gnome_keyring_result_to_message(theResult) << '\n';
return bResult;
}
otOut << "OTKeyring::Gnome_StoreSecret: No secret to store.\n";
return false;
}
static void
on_change_password_done (GnomeKeyringResult result, gpointer user_data)
{
SeahorseCommands *self = SEAHORSE_COMMANDS (user_data);
SeahorseView *view;
if (result != GNOME_KEYRING_RESULT_OK &&
result != GNOME_KEYRING_RESULT_DENIED &&
result != GNOME_KEYRING_RESULT_CANCELLED) {
view = seahorse_commands_get_view (self);
seahorse_util_show_error (GTK_WIDGET (seahorse_view_get_window (view)),
_("Couldn't change keyring password"),
gnome_keyring_result_to_message (result));
}
refresh_all_keyrings (self);
}
static int
erase_password(jaro_credential_t *cred)
{
GnomeKeyringResult keyres;
keyres = gnome_keyring_delete_password_sync(&jaro_schema,
"protocol", cred->protocol,
"host", cred->host,
"path", cred->path,
"username", cred->username,
NULL);
if (keyres != GNOME_KEYRING_RESULT_OK) {
error("failed to erase password: %s", gnome_keyring_result_to_message(keyres));
return 1;
}
return 0;
}
static gboolean
ep_keyring_insert_password (const gchar *user,
const gchar *server,
const gchar *protocol,
const gchar *display_name,
const gchar *password,
GError **error)
{
GnomeKeyringAttributeList *attributes;
GnomeKeyringResult result;
guint32 item_id;
g_return_val_if_fail (user != NULL, FALSE);
g_return_val_if_fail (server != NULL, FALSE);
g_return_val_if_fail (protocol != NULL, FALSE);
g_return_val_if_fail (display_name != NULL, FALSE);
g_return_val_if_fail (password != NULL, FALSE);
attributes = gnome_keyring_attribute_list_new ();
gnome_keyring_attribute_list_append_string (
attributes, "application", "Evolution");
gnome_keyring_attribute_list_append_string (
attributes, "user", user);
gnome_keyring_attribute_list_append_string (
attributes, "server", server);
gnome_keyring_attribute_list_append_string (
attributes, "protocol", protocol);
/* XXX We don't use item_id but gnome-keyring doesn't allow
* for a NULL pointer. In fact it doesn't even check! */
result = gnome_keyring_item_create_sync (
NULL, GNOME_KEYRING_ITEM_NETWORK_PASSWORD,
display_name, attributes, password, TRUE, &item_id);
if (result != GNOME_KEYRING_RESULT_OK) {
g_set_error (
error, EP_KEYRING_ERROR, result,
"Unable to create password in "
"keyring (Keyring reports: %s)",
gnome_keyring_result_to_message (result));
}
gnome_keyring_attribute_list_free (attributes);
return (result == GNOME_KEYRING_RESULT_OK);
}
static int
check_password(jaro_credential_t *cred)
{
GnomeKeyringResult keyres;
gchar *pass = NULL;
keyres = gnome_keyring_find_password_sync(&jaro_schema,
&pass,
"protocol", cred->protocol,
"host", cred->host,
"path", cred->path,
"username", cred->username,
NULL);
if (keyres != GNOME_KEYRING_RESULT_OK) {
error("failed to check password: %s", gnome_keyring_result_to_message(keyres));
return 1;
}
gnome_keyring_free_password(pass);
return 0;
}
// static
bool OTKeyring::Gnome_DeleteSecret(const OTString& strUser,
const std::string& str_display)
{
OT_ASSERT(strUser.Exists());
GnomeKeyringResult theResult = gnome_keyring_delete_password_sync(
GNOME_KEYRING_NETWORK_PASSWORD, "user", strUser.Get(), "protocol",
"opentxs", // todo: hardcoding.
nullptr); // Always end with nullptr
if (theResult == GNOME_KEYRING_RESULT_OK) {
return true;
}
else {
otErr << "OTKeyring::Gnome_DeleteSecret: "
<< "Failure in gnome_keyring_delete_password_sync: "
<< gnome_keyring_result_to_message(theResult) << '\n';
}
return false;
}
/*
* Callback from the keyring lookup in refresh_credentials.
*/
static void
found_password_cb (GnomeKeyringResult result,
GList *list,
gpointer user_data)
{
SwService *service = SW_SERVICE (user_data);
SwServicePlurk *plurk = SW_SERVICE_PLURK (service);
SwServicePlurkPrivate *priv = plurk->priv;
if (result == GNOME_KEYRING_RESULT_OK && list != NULL) {
GnomeKeyringNetworkPasswordData *data = list->data;
g_free (priv->username);
g_free (priv->password);
priv->username = g_strdup (data->user);
priv->password = g_strdup (data->password);
/* If we're online, force a reconnect to fetch new credentials */
if (sw_is_online ()) {
online_notify (FALSE, service);
online_notify (TRUE, service);
}
} else {
g_free (priv->username);
g_free (priv->password);
priv->username = NULL;
priv->password = NULL;
priv->credentials = OFFLINE;
if (result != GNOME_KEYRING_RESULT_NO_MATCH) {
g_warning (G_STRLOC ": Error getting password: %s", gnome_keyring_result_to_message (result));
}
}
sw_service_emit_user_changed (service);
sw_service_emit_capabilities_changed (service, get_dynamic_caps (service));
}
static gboolean
ep_keyring_delete_passwords (const gchar *user,
const gchar *server,
const gchar *protocol,
GList *passwords,
GError **error)
{
while (passwords != NULL) {
GnomeKeyringFound *found = passwords->data;
GnomeKeyringResult result;
/* Validate the item before deleting it. */
if (!ep_keyring_validate (user, server, protocol, found->attributes)) {
/* XXX We didn't always store protocols in the
* keyring, so for backward-compatibility
* try validating by user and server only. */
if (!ep_keyring_validate (user, server, NULL, found->attributes)) {
passwords = g_list_next (passwords);
continue;
}
}
result = gnome_keyring_item_delete_sync (NULL, found->item_id);
if (result != GNOME_KEYRING_RESULT_OK) {
g_set_error (
error, EP_KEYRING_ERROR, result,
"Unable to delete password in "
"keyring (Keyring reports: %s)",
gnome_keyring_result_to_message (result));
return FALSE;
}
passwords = g_list_next (passwords);
}
return TRUE;
}
static GList *
ep_keyring_lookup_passwords (const gchar *user,
const gchar *server,
const gchar *protocol,
GError **error)
{
GnomeKeyringAttributeList *attributes;
GnomeKeyringResult result;
GList *passwords = NULL;
attributes = gnome_keyring_attribute_list_new ();
gnome_keyring_attribute_list_append_string (
attributes, "application", "Evolution");
if (user != NULL)
gnome_keyring_attribute_list_append_string (
attributes, "user", user);
if (server != NULL)
gnome_keyring_attribute_list_append_string (
attributes, "server", server);
if (protocol != NULL)
gnome_keyring_attribute_list_append_string (
attributes, "protocol", protocol);
result = gnome_keyring_find_items_sync (
GNOME_KEYRING_ITEM_NETWORK_PASSWORD, attributes, &passwords);
if (result != GNOME_KEYRING_RESULT_OK) {
g_set_error (
error, EP_KEYRING_ERROR, result,
"Unable to find password(s) in "
"keyring (Keyring reports: %s)",
gnome_keyring_result_to_message (result));
}
gnome_keyring_attribute_list_free (attributes);
return passwords;
}
// static
bool OTKeyring::Gnome_RetrieveSecret(const OTString& strUser,
OTPassword& thePassword,
const std::string& str_display)
{
OT_ASSERT(strUser.Exists());
GnomeKeyringResult theResult = GNOME_KEYRING_RESULT_IO_ERROR;
gchar* gchar_p_password = nullptr;
// if the password exists in the keyring, set it in
// thePassword (output argument.)
//
int32_t nCount = -1;
int64_t lSleep = 1;
while ((GNOME_KEYRING_RESULT_OK != theResult)) {
++nCount; // 0 on first iteration.
theResult = gnome_keyring_find_password_sync(
GNOME_KEYRING_NETWORK_PASSWORD, &gchar_p_password, "user",
strUser.Get(), "protocol", "opentxs", // todo: hardcoding.
nullptr);
if (GNOME_KEYRING_RESULT_OK == theResult) break;
if (nCount > 2) // todo hardcoding.
break; // we try a few times -- not infinite times!
OTString strGnomeError(gnome_keyring_result_to_message(theResult));
// OTString strGnomeError;
// switch (theResult) {
// case GNOME_KEYRING_RESULT_OK: strGnomeError
// = "GNOME_KEYRING_RESULT_OK"; break;
// case GNOME_KEYRING_RESULT_DENIED: strGnomeError
// = "GNOME_KEYRING_RESULT_DENIED"; break;
// case GNOME_KEYRING_RESULT_NO_KEYRING_DAEMON: strGnomeError
// = "GNOME_KEYRING_RESULT_NO_KEYRING_DAEMON"; break;
// case GNOME_KEYRING_RESULT_ALREADY_UNLOCKED: strGnomeError
// = "GNOME_KEYRING_RESULT_ALREADY_UNLOCKED"; break;
// case GNOME_KEYRING_RESULT_NO_SUCH_KEYRING: strGnomeError
// = "GNOME_KEYRING_RESULT_NO_SUCH_KEYRING"; break;
// case GNOME_KEYRING_RESULT_BAD_ARGUMENTS: strGnomeError
// = "GNOME_KEYRING_RESULT_BAD_ARGUMENTS"; break;
// case GNOME_KEYRING_RESULT_IO_ERROR: strGnomeError
// = "GNOME_KEYRING_RESULT_IO_ERROR"; break;
// case GNOME_KEYRING_RESULT_CANCELLED: strGnomeError
// = "GNOME_KEYRING_RESULT_CANCELLED"; break;
// case GNOME_KEYRING_RESULT_KEYRING_ALREADY_EXISTS:
// strGnomeError = "GNOME_KEYRING_RESULT_KEYRING_ALREADY_EXISTS"; break;
// case GNOME_KEYRING_RESULT_NO_MATCH: strGnomeError
// = "GNOME_KEYRING_RESULT_NO_MATCH"; break;
//
// default:
// strGnomeError = "Unknown! Very strange!";
// break;
// }
otErr << __FUNCTION__ << ": gnome_keyring_find_password_sync returned "
<< strGnomeError.Get() << '\n';
otErr << "Remedy: Sleeping for " << lSleep
<< " seconds and then retrying (attempt " << (nCount + 2) << '\n';
// on first iteration, nCount is 0, and this will say "attempt 2" aka
// "second attempt," which is correct.
sleep(lSleep);
lSleep *= 2; // double it each time
}
if ((theResult == GNOME_KEYRING_RESULT_OK) &&
(nullptr != gchar_p_password)) {
size_t sizePassword =
OTString::safe_strlen(gchar_p_password, MAX_STRING_LENGTH);
if (sizePassword > 0) {
OTString strData(gchar_p_password, sizePassword);
gnome_keyring_free_password(gchar_p_password);
gchar_p_password = nullptr;
OTASCIIArmor ascData;
const bool bLoaded =
strData.Exists() && ascData.LoadFromString(strData);
strData.zeroMemory();
if (!bLoaded)
otErr << __FUNCTION__ << ": Failed trying to decode secret "
"from Gnome Keyring contents:\n\n"
<< strData.Get() << "\n\n";
else {
OTData thePayload(ascData);
ascData.zeroMemory();
if (thePayload.IsEmpty())
otErr << __FUNCTION__ << ": Failed trying to decode secret "
"OTData from OTASCIIArmor "
<< "from Gnome Keyring contents:\n\n" << strData.Get()
<< "\n\n";
else {
thePassword.setMemory(thePayload.GetPayloadPointer(),
thePayload.GetSize());
thePayload.zeroMemory(); // for security.
return true;
}
return false;
}
}
}
// Not an error: what if it just hasn't been set there yet?
//
otOut << "OTKeyring::Gnome_RetrieveSecret: "
<< "No secret found: gnome_keyring_find_password_sync: "
<< gnome_keyring_result_to_message(theResult) << '\n';
return false;
}
gboolean gnc_keyring_get_password ( GtkWidget *parent,
const gchar *access_method,
const gchar *server,
guint32 port,
const gchar *service,
gchar **user,
gchar **password)
{
gboolean password_found = FALSE;
#ifdef HAVE_GNOME_KEYRING
GnomeKeyringResult gkr_result;
GList *found_list = NULL;
GnomeKeyringNetworkPasswordData *found;
#endif
#ifdef HAVE_OSX_KEYCHAIN
void *password_data;
UInt32 password_length;
OSStatus status;
#endif
g_return_val_if_fail (user != NULL, FALSE);
g_return_val_if_fail (password != NULL, FALSE);
*password = NULL;
#ifdef HAVE_GNOME_KEYRING
gkr_result = gnome_keyring_find_network_password_sync
( *user, NULL, server, service,
access_method, NULL, port, &found_list );
if (gkr_result == GNOME_KEYRING_RESULT_OK)
{
found = (GnomeKeyringNetworkPasswordData *) found_list->data;
if (found->password)
*password = g_strdup(found->password);
password_found = TRUE;
}
else
PWARN ("Gnome-keyring access failed: %s.",
gnome_keyring_result_to_message(gkr_result));
gnome_keyring_network_password_list_free(found_list);
#endif /* HAVE_GNOME_KEYRING */
#ifdef HAVE_OSX_KEYCHAIN
/* mysql and postgres aren't valid protocols on Mac OS X.
* So we use the security domain parameter to allow us to
* distinguish between these two.
*/
if (*user != NULL)
{
status = SecKeychainFindInternetPassword( NULL,
strlen(server), server,
strlen(access_method), access_method,
strlen(*user), *user,
strlen(service), service,
port,
kSecProtocolTypeAny,
kSecAuthenticationTypeDefault,
&password_length, &password_data,
NULL);
if ( status == noErr )
{
*password = g_strndup(password_data, password_length);
password_found = TRUE;
SecKeychainItemFreeContent(NULL, password_data);
}
else
{
CFStringRef osx_resultstring = SecCopyErrorMessageString( status, NULL );
const gchar *resultstring = CFStringGetCStringPtr(osx_resultstring,
GetApplicationTextEncoding());
PWARN ( "OS X keychain error: %s", resultstring );
CFRelease ( osx_resultstring );
}
}
#endif /* HAVE_OSX_KEYCHAIN */
if ( !password_found )
{
/* If we got here, either no proper password store is
* available on this system, or we couldn't retrieve
* a password from it. In both cases, just ask the user
* to enter one
*/
gchar *db_path, *heading;
if ( port == 0 )
db_path = g_strdup_printf ( "%s://%s/%s", access_method, server, service );
else
db_path = g_strdup_printf ( "%s://%s:%d/%s", access_method, server, port, service );
heading = g_strdup_printf ( /* Translators: %s is a path to a database or any other url,
like mysql://[email protected]/somedb, http://www.somequotes.com/thequotes */
_("Enter a user name and password to connect to: %s"),
db_path );
password_found = gnc_get_username_password ( parent, heading,
*user, NULL,
user, password );
g_free ( db_path );
g_free ( heading );
if ( password_found )
{
/* User entered new user/password information
* Let's try to add it to a password store.
*/
gchar *newuser = g_strdup( *user );
gchar *newpassword = g_strdup( *password );
gnc_keyring_set_password ( access_method,
server,
port,
service,
newuser,
newpassword );
g_free ( newuser );
g_free ( newpassword );
}
}
return password_found;
}
