static void CheckOSStatusOrRaise(OSStatus err){
if(err != 0){
CFStringRef description = SecCopyErrorMessageString(err, NULL);
CFIndex bufferSize = CFStringGetMaximumSizeForEncoding(CFStringGetLength(description), kCFStringEncodingUTF8);
char *buffer = malloc(bufferSize + 1);
CFStringGetCString(description, buffer, bufferSize + 1, kCFStringEncodingUTF8);
CFRelease(description);
VALUE exceptionString = rb_enc_str_new(buffer, strlen(buffer), rb_utf8_encoding());
free(buffer);
VALUE exception = Qnil;
switch(err){
case errSecAuthFailed:
exception = rb_obj_alloc(rb_eKeychainAuthFailedError);
break;
case errSecNoSuchKeychain:
exception = rb_obj_alloc(rb_eKeychainNoSuchKeychainError);
break;
case errSecDuplicateItem:
exception = rb_obj_alloc(rb_eKeychainDuplicateItemError);
break;
default:
exception = rb_obj_alloc(rb_eKeychainError);
}
rb_funcall(exception, rb_intern("initialize"), 2,exceptionString, INT2FIX(err));
rb_exc_raise(exception);
}
}
char *get_error(OSStatus status) {
char *buf = malloc(128);
CFStringRef str = SecCopyErrorMessageString(status, NULL);
int success = CFStringGetCString(str, buf, 128, kCFStringEncodingUTF8);
if (success) {
strncpy(buf, "Unknown error", 128);
}
return buf;
}
/* Shorthand for throwing an OSXKeychainException from an OSStatus.
*
* Parameters:
* env The JNI environment.
* status The non-error status returned from a keychain call.
*/
void throw_osxkeychainexception(JNIEnv* env, OSStatus status) {
CFStringRef errorMessage = SecCopyErrorMessageString(status, NULL);
throw_exception(
env,
OSXKeychainException,
CFStringGetCStringPtr(errorMessage, kCFStringEncodingMacRoman)
);
CFRelease(errorMessage);
}
void gnc_keyring_set_password (const gchar *access_method,
const gchar *server,
guint32 port,
const gchar *service,
const gchar *user,
const gchar* password)
{
#ifdef HAVE_GNOME_KEYRING
GnomeKeyringResult gkr_result;
guint32 item_id = 0;
gkr_result = gnome_keyring_set_network_password_sync
(NULL, user, NULL, server, service,
access_method, NULL, port, password, &item_id);
if (gkr_result != GNOME_KEYRING_RESULT_OK)
{
PWARN ("Gnome-keyring error: %s",
gnome_keyring_result_to_message(gkr_result));
PWARN ("The user will be prompted for a password again next time.");
}
#endif /* HAVE_GNOME_KEYRING */
#ifdef HAVE_OSX_KEYCHAIN
OSStatus status;
SecKeychainItemRef *itemRef = NULL;
/* mysql and postgres aren't valid protocols on Mac OS X.
* So we use the security domain parameter to allow us to
* distinguish between these two.
*/
// FIXME I'm not sure this works if a password was already in the keychain
// I may have to do a lookup first and if it exists, run some update
// update function instead
status = SecKeychainAddInternetPassword ( NULL, /* keychain */
strlen(server), server, /* servername */
strlen(access_method), access_method, /* securitydomain */
strlen(user), user, /* acountname */
strlen(service), service, /* path */
port, /* port */
kSecProtocolTypeAny, /* protocol */
kSecAuthenticationTypeDefault, /* auth type */
strlen(password), password, /* passworddata */
itemRef );
if ( status != noErr )
{
CFStringRef osx_resultstring = SecCopyErrorMessageString( status, NULL );
const gchar *resultstring = CFStringGetCStringPtr(osx_resultstring,
GetApplicationTextEncoding());
PWARN ( "OS X keychain error: %s", resultstring );
PWARN ( "The user will be prompted for a password again next time." );
CFRelease ( osx_resultstring );
}
#endif /* HAVE_OSX_KEYCHAIN */
}
CFArrayRef SecTrustCopyProperties(SecTrustRef trust) {
/* OS X creates a completely different structure with one dictionary for each certificate */
CFIndex ix, count = SecTrustGetCertificateCount(trust);
CFMutableArrayRef properties = CFArrayCreateMutable(kCFAllocatorDefault, count,
&kCFTypeArrayCallBacks);
for (ix = 0; ix < count; ix++) {
CFMutableDictionaryRef certDict = CFDictionaryCreateMutable(NULL, 0, &kCFTypeDictionaryKeyCallBacks,
&kCFTypeDictionaryValueCallBacks);
/* Populate the certificate title */
SecCertificateRef cert = SecTrustGetCertificateAtIndex(trust, ix);
if (cert) {
CFStringRef subjectSummary = SecCertificateCopySubjectSummary(cert);
if (subjectSummary) {
CFDictionaryAddValue(certDict, kSecPropertyTypeTitle, subjectSummary);
CFRelease(subjectSummary);
}
}
/* Populate a revocation reason if the cert was revoked */
unsigned int numStatusCodes;
CSSM_RETURN *statusCodes = NULL;
statusCodes = copyCssmStatusCodes(trust, (uint32_t)ix, &numStatusCodes);
if (statusCodes) {
int32_t reason = statusCodes[numStatusCodes]; // stored at end of status codes array
if (reason > 0) {
CFNumberRef cfreason = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &reason);
if (cfreason) {
CFDictionarySetValue(certDict, kSecTrustRevocationReason, cfreason);
CFRelease(cfreason);
}
}
free(statusCodes);
}
/* Populate the error in the leaf dictionary */
if (ix == 0) {
OSStatus error = errSecSuccess;
(void)SecTrustGetCssmResultCode(trust, &error);
CFStringRef errorStr = SecCopyErrorMessageString(error, NULL);
if (errorStr) {
CFDictionarySetValue(certDict, kSecPropertyTypeError, errorStr);
CFRelease(errorStr);
}
}
CFArrayAppendValue(properties, certDict);
CFRelease(certDict);
}
return properties;
}
void printErrorStatusMsg(const char *func, OSStatus status)
{
CFStringRef error;
error = SecCopyErrorMessageString(status, NULL);
if (error)
{
warnx("%s failed: %s", func, CFStringGetCStringPtr(error, kCFStringEncodingUTF8));
CFRelease(error);
}
else
warnx("%s failed: %X", func, (int)status);
}
static int chk_status(OSStatus status, const char *msg) {
if (status != errSecSuccess) {
CFStringRef rs = SecCopyErrorMessageString(status, 0);
if (rs) {
if (CFStringGetCString(rs, buf, sizeof(buf), kCFStringEncodingUTF8)) {
CFRelease(rs);
Rf_error("Unable to %s password: %s", msg, buf);
}
CFRelease(rs);
}
Rf_error("Unable to %s password, system error code %d", msg, (int)status);
return 1;
}
return 0;
}
bool
mongoc_stream_tls_secure_transport_handshake (mongoc_stream_t *stream,
const char *host,
int *events,
bson_error_t *error)
{
OSStatus ret = 0;
CFStringRef err;
char *err_str;
mongoc_stream_tls_t *tls = (mongoc_stream_tls_t *) stream;
mongoc_stream_tls_secure_transport_t *secure_transport =
(mongoc_stream_tls_secure_transport_t *) tls->ctx;
ENTRY;
BSON_ASSERT (secure_transport);
ret = SSLHandshake (secure_transport->ssl_ctx_ref);
/* Weak certificate validation requested, eg: none */
if (ret == errSSLServerAuthCompleted) {
ret = errSSLWouldBlock;
}
if (ret == noErr) {
RETURN (true);
}
if (ret == errSSLWouldBlock) {
*events = POLLIN | POLLOUT;
} else {
*events = 0;
err = SecCopyErrorMessageString (ret, NULL);
err_str = _mongoc_cfstringref_to_cstring (err);
bson_set_error (error,
MONGOC_ERROR_STREAM,
MONGOC_ERROR_STREAM_SOCKET,
"TLS handshake failed: %s (%d)",
err_str,
ret);
bson_free (err_str);
CFRelease (err);
}
RETURN (false);
}
int stransport_error(OSStatus ret)
{
CFStringRef message;
if (ret == noErr || ret == errSSLClosedGraceful) {
giterr_clear();
return 0;
}
#if !TARGET_OS_IPHONE
message = SecCopyErrorMessageString(ret, NULL);
GITERR_CHECK_ALLOC(message);
giterr_set(GITERR_NET, "SecureTransport error: %s", CFStringGetCStringPtr(message, kCFStringEncodingUTF8));
CFRelease(message);
#else
giterr_set(GITERR_NET, "SecureTransport error: OSStatus %d", (unsigned int)ret);
#endif
return -1;
}
gboolean gnc_keyring_get_password ( GtkWidget *parent,
const gchar *access_method,
const gchar *server,
guint32 port,
const gchar *service,
gchar **user,
gchar **password)
{
gboolean password_found = FALSE;
#ifdef HAVE_GNOME_KEYRING
GnomeKeyringResult gkr_result;
GList *found_list = NULL;
GnomeKeyringNetworkPasswordData *found;
#endif
#ifdef HAVE_OSX_KEYCHAIN
void *password_data;
UInt32 password_length;
OSStatus status;
#endif
g_return_val_if_fail (user != NULL, FALSE);
g_return_val_if_fail (password != NULL, FALSE);
*password = NULL;
#ifdef HAVE_GNOME_KEYRING
gkr_result = gnome_keyring_find_network_password_sync
( *user, NULL, server, service,
access_method, NULL, port, &found_list );
if (gkr_result == GNOME_KEYRING_RESULT_OK)
{
found = (GnomeKeyringNetworkPasswordData *) found_list->data;
if (found->password)
*password = g_strdup(found->password);
password_found = TRUE;
}
else
PWARN ("Gnome-keyring access failed: %s.",
gnome_keyring_result_to_message(gkr_result));
gnome_keyring_network_password_list_free(found_list);
#endif /* HAVE_GNOME_KEYRING */
#ifdef HAVE_OSX_KEYCHAIN
/* mysql and postgres aren't valid protocols on Mac OS X.
* So we use the security domain parameter to allow us to
* distinguish between these two.
*/
if (*user != NULL)
{
status = SecKeychainFindInternetPassword( NULL,
strlen(server), server,
strlen(access_method), access_method,
strlen(*user), *user,
strlen(service), service,
port,
kSecProtocolTypeAny,
kSecAuthenticationTypeDefault,
&password_length, &password_data,
NULL);
if ( status == noErr )
{
*password = g_strndup(password_data, password_length);
password_found = TRUE;
SecKeychainItemFreeContent(NULL, password_data);
}
else
{
CFStringRef osx_resultstring = SecCopyErrorMessageString( status, NULL );
const gchar *resultstring = CFStringGetCStringPtr(osx_resultstring,
GetApplicationTextEncoding());
PWARN ( "OS X keychain error: %s", resultstring );
CFRelease ( osx_resultstring );
}
}
#endif /* HAVE_OSX_KEYCHAIN */
if ( !password_found )
{
/* If we got here, either no proper password store is
* available on this system, or we couldn't retrieve
* a password from it. In both cases, just ask the user
* to enter one
*/
gchar *db_path, *heading;
if ( port == 0 )
db_path = g_strdup_printf ( "%s://%s/%s", access_method, server, service );
else
db_path = g_strdup_printf ( "%s://%s:%d/%s", access_method, server, port, service );
heading = g_strdup_printf ( /* Translators: %s is a path to a database or any other url,
like mysql://[email protected]/somedb, http://www.somequotes.com/thequotes */
_("Enter a user name and password to connect to: %s"),
db_path );
password_found = gnc_get_username_password ( parent, heading,
*user, NULL,
user, password );
g_free ( db_path );
g_free ( heading );
if ( password_found )
{
/* User entered new user/password information
* Let's try to add it to a password store.
*/
gchar *newuser = g_strdup( *user );
gchar *newpassword = g_strdup( *password );
gnc_keyring_set_password ( access_method,
server,
port,
service,
newuser,
newpassword );
g_free ( newuser );
g_free ( newpassword );
}
}
return password_found;
}
CFStringRef AppleCryptoNative_SecCopyErrorMessageString(int32_t osStatus)
{
return SecCopyErrorMessageString(osStatus, NULL);
}
static int importKeychainToX509_STORE(X509_STORE* verifyStore, char* err, size_t err_len) {
int status = 1;
CFArrayRef result = NULL;
OSStatus osStatus;
// This copies all the certificates trusted by the system (regardless of what
// keychain they're
// attached to) into a CFArray.
if ((osStatus = SecTrustCopyAnchorCertificates(&result)) != 0) {
CFStringRef statusString = SecCopyErrorMessageString(osStatus, NULL);
snprintf(err,
err_len,
"Error enumerating certificates: %s",
CFStringGetCStringPtr(statusString, kCFStringEncodingASCII));
CFRelease(statusString);
status = 0;
goto CLEANUP;
}
CFDataRef rawData = NULL;
X509* x509Cert = NULL;
for (CFIndex i = 0; i < CFArrayGetCount(result); i++) {
SecCertificateRef cert = (SecCertificateRef)CFArrayGetValueAtIndex(result, i);
rawData = SecCertificateCopyData(cert);
if (!rawData) {
snprintf(err, err_len, "Error enumerating certificates");
status = 0;
goto CLEANUP;
}
const uint8_t* rawDataPtr = CFDataGetBytePtr(rawData);
// Parse an openssl X509 object from each returned certificate
x509Cert = d2i_X509(NULL, &rawDataPtr, CFDataGetLength(rawData));
if (!x509Cert) {
snprintf(err,
err_len,
"Error parsing X509 certificate from system keychain: %s",
ERR_reason_error_string(ERR_peek_last_error()));
status = 0;
goto CLEANUP;
}
// Add the parsed X509 object to the X509_STORE verification store
if (X509_STORE_add_cert(verifyStore, x509Cert) != 1) {
int check_error_status = checkX509_STORE_error(err, err_len);
if (!check_error_status) {
status = check_error_status;
goto CLEANUP;
}
}
CFRelease(rawData);
rawData = NULL;
X509_free(x509Cert);
x509Cert = NULL;
}
CLEANUP:
if (result != NULL) {
CFRelease(result);
}
if (rawData != NULL) {
CFRelease(rawData);
}
if (x509Cert != NULL) {
X509_free(x509Cert);
}
return status;
}
