void SG_password__get(
SG_context *pCtx,
const char *szRepoSpec,
const char *username,
SG_string **pPassword)
{
SG_byte *pwdata = NULL;
SG_uint32 pwlen;
SG_string *password = NULL;
SG_string *path = NULL;
SG_string *server = NULL;
SecProtocolType proto;
SG_uint32 port;
SG_bool isValid = SG_FALSE;
OSStatus findRes;
SG_NULLARGCHECK_RETURN(pPassword);
*pPassword = NULL;
SG_NULLARGCHECK(username);
SG_NULLARGCHECK(szRepoSpec);
SG_ERR_CHECK( _sg_password__parse_url(pCtx, szRepoSpec,
&isValid, &proto, &server, &path, &port) );
if (! isValid)
SG_ERR_THROW(SG_ERR_NOTIMPLEMENTED);
findRes = SecKeychainFindInternetPassword(
NULL,
SG_STRLEN( SG_string__sz(server) ), SG_string__sz(server),
0, NULL,
SG_STRLEN(username), username,
SG_STRLEN( SG_string__sz(path) ), SG_string__sz(path),
port, proto, kSecAuthenticationTypeDefault,
(UInt32 *)&pwlen, (void **)&pwdata,
NULL);
if (findRes == errSecItemNotFound ||
findRes == errSecInteractionNotAllowed)
goto fail;
else if (findRes != errSecSuccess)
_SG_THROW_MAC_SEC_ERROR(findRes);
SG_ERR_CHECK( SG_STRING__ALLOC__BUF_LEN(pCtx, &password, pwdata, pwlen) );
*pPassword = password;
password = NULL;
fail:
if (pwdata)
SecKeychainItemFreeContent(NULL, pwdata);
SG_STRING_NULLFREE(pCtx, path);
SG_STRING_NULLFREE(pCtx, server);
SG_STRING_NULLFREE(pCtx, password);
}
static void find_internet_password(void)
{
void *buf;
UInt32 len;
SecKeychainItemRef item;
if (SecKeychainFindInternetPassword(KEYCHAIN_ARGS, &len, &buf, &item))
return;
write_item("password", buf, len);
if (!username)
find_username_in_item(item);
SecKeychainItemFreeContent(NULL, buf);
}
static void delete_internet_password(void)
{
SecKeychainItemRef item;
/*
* Require at least a protocol and host for removal, which is what git
* will give us; if you want to do something more fancy, use the
* Keychain manager.
*/
if (!protocol || !host)
return;
if (SecKeychainFindInternetPassword(KEYCHAIN_ARGS, 0, NULL, &item))
return;
SecKeychainItemDelete(item);
}
bool OsxWallet::getCredentials(const QString &realm, QString &user, QString &password)
{
const QByteArray realm_data = realm.toUtf8();
const QByteArray user_data = user.toUtf8();
SecKeychainItemRef itemRef = NULL;
/* get password */
int rc = SecKeychainFindInternetPassword(keychain,
realm_data.size(), realm_data.constData(),
0, NULL,
user_data.size(), user_data.constData(),
0, NULL,
0, kSecProtocolTypeAny, kSecAuthenticationTypeAny,
0, NULL,
&itemRef);
if (rc != errSecSuccess)
return false;
/* get username */
SecKeychainAttribute attr;
SecKeychainAttributeList attrList;
attr.tag = kSecAccountItemAttr;
attr.length = 0;
attr.data = NULL;
attrList.count = 1;
attrList.attr = &attr;
UInt32 password_length = 0;
void *password_data = NULL;
if (SecKeychainItemCopyContent(itemRef, NULL, &attrList, &password_length, &password_data) != errSecSuccess)
{
CFRelease(itemRef);
return false;
}
/* store results */
user = QString::fromUtf8(QByteArray((char*)attr.data, attr.length));
password = QString::fromUtf8(QByteArray((char*)password_data, password_length));
SecKeychainItemFreeContent(&attrList, password_data);
CFRelease(itemRef);
return true;
}
bool OsxWallet::setCredentials(const QString &realm, const QString &user, const QString &password)
{
const QByteArray realm_data = realm.toUtf8();
const QByteArray user_data = user.toUtf8();
const QByteArray password_data = password.toUtf8();
/* check whether the entry already exists */
SecKeychainItemRef itemRef = NULL;
int rc = SecKeychainFindInternetPassword(keychain,
realm_data.size(), realm_data.constData(),
0, NULL,
user_data.size(), user_data.constData(),
0, NULL,
0, kSecProtocolTypeAny, kSecAuthenticationTypeAny,
0, NULL,
&itemRef);
if (rc == errSecSuccess)
{
// FIXME: we should not update username!
SecKeychainAttribute attr;
SecKeychainAttributeList attrList;
attr.tag = kSecAccountItemAttr;
attr.length = user_data.size();
attr.data = (void*)user_data.constData();
attrList.count = 1;
attrList.attr = &attr;
rc = SecKeychainItemModifyAttributesAndData(itemRef, &attrList, password_data.size(), password_data.constData());
CFRelease(itemRef);
} else {
rc = SecKeychainAddInternetPassword(keychain,
realm_data.size(), realm_data.constData(),
0, NULL,
user_data.size(), user_data.constData(),
0, NULL,
0, kSecProtocolTypeAny, kSecAuthenticationTypeAny,
password_data.size(), password_data.constData(), NULL);
}
return (rc == errSecSuccess);
}
static void
get_password_from_keychain(Pop3 pc, const char *username,
const char *servername,
/*@out@ */ char *password,
/*@out@ */
unsigned char *password_len)
{
SecKeychainRef kc;
OSStatus rc;
char *secpwd;
UInt32 pwdlen;
rc = SecKeychainCopyDefault(&kc);
if (rc != noErr) {
DM(pc, DEBUG_ERROR, "passmgr: unable to open keychain, exiting\n");
exit(EXIT_FAILURE);
}
rc = SecKeychainFindInternetPassword(kc, strlen(servername),
servername, 0, NULL,
strlen(username), username, 0,
NULL, 0, NULL,
kSecAuthenticationTypeDefault,
&pwdlen, (void **) &secpwd, NULL);
if (rc != noErr) {
DM(pc, DEBUG_ERROR,
"passmgr: keychain password grab for %s at %s failed, exiting\n", username, servername);
DM(pc, DEBUG_ERROR, "passmgr: (perhaps you pressed 'deny')\n");
/* this seems like the sanest thing to do, for now */
exit(EXIT_FAILURE);
}
if (pwdlen < *password_len) {
strncpy(password, secpwd, pwdlen);
password[pwdlen] = '\0';
*password_len = pwdlen;
} else {
DM(pc, DEBUG_ERROR,
"passmgr: warning: your password appears longer (%lu) than expected (%d)\n",
strlen(secpwd), *password_len - 1);
}
rc = SecKeychainItemFreeContent(NULL, secpwd);
return;
}
bool OsxWallet::deleteCredentials(const QString &realm, const QString &user)
{
const QByteArray realm_data = realm.toUtf8();
const QByteArray user_data = user.toUtf8();
SecKeychainItemRef itemRef = NULL;
/* check whether the entry exists */
int rc = SecKeychainFindInternetPassword(keychain,
realm_data.size(), realm_data.constData(),
0, NULL,
user_data.size(), user_data.constData(),
0, NULL,
0, kSecProtocolTypeAny, kSecAuthenticationTypeAny,
0, NULL,
&itemRef);
if (rc != errSecSuccess)
return false;
rc = SecKeychainItemDelete(itemRef);
CFRelease(itemRef);
return (rc == errSecSuccess);
}
gboolean gnc_keyring_get_password ( GtkWidget *parent,
const gchar *access_method,
const gchar *server,
guint32 port,
const gchar *service,
gchar **user,
gchar **password)
{
gboolean password_found = FALSE;
#ifdef HAVE_GNOME_KEYRING
GnomeKeyringResult gkr_result;
GList *found_list = NULL;
GnomeKeyringNetworkPasswordData *found;
#endif
#ifdef HAVE_OSX_KEYCHAIN
void *password_data;
UInt32 password_length;
OSStatus status;
#endif
g_return_val_if_fail (user != NULL, FALSE);
g_return_val_if_fail (password != NULL, FALSE);
*password = NULL;
#ifdef HAVE_GNOME_KEYRING
gkr_result = gnome_keyring_find_network_password_sync
( *user, NULL, server, service,
access_method, NULL, port, &found_list );
if (gkr_result == GNOME_KEYRING_RESULT_OK)
{
found = (GnomeKeyringNetworkPasswordData *) found_list->data;
if (found->password)
*password = g_strdup(found->password);
password_found = TRUE;
}
else
PWARN ("Gnome-keyring access failed: %s.",
gnome_keyring_result_to_message(gkr_result));
gnome_keyring_network_password_list_free(found_list);
#endif /* HAVE_GNOME_KEYRING */
#ifdef HAVE_OSX_KEYCHAIN
/* mysql and postgres aren't valid protocols on Mac OS X.
* So we use the security domain parameter to allow us to
* distinguish between these two.
*/
if (*user != NULL)
{
status = SecKeychainFindInternetPassword( NULL,
strlen(server), server,
strlen(access_method), access_method,
strlen(*user), *user,
strlen(service), service,
port,
kSecProtocolTypeAny,
kSecAuthenticationTypeDefault,
&password_length, &password_data,
NULL);
if ( status == noErr )
{
*password = g_strndup(password_data, password_length);
password_found = TRUE;
SecKeychainItemFreeContent(NULL, password_data);
}
else
{
CFStringRef osx_resultstring = SecCopyErrorMessageString( status, NULL );
const gchar *resultstring = CFStringGetCStringPtr(osx_resultstring,
GetApplicationTextEncoding());
PWARN ( "OS X keychain error: %s", resultstring );
CFRelease ( osx_resultstring );
}
}
#endif /* HAVE_OSX_KEYCHAIN */
if ( !password_found )
{
/* If we got here, either no proper password store is
* available on this system, or we couldn't retrieve
* a password from it. In both cases, just ask the user
* to enter one
*/
gchar *db_path, *heading;
if ( port == 0 )
db_path = g_strdup_printf ( "%s://%s/%s", access_method, server, service );
else
db_path = g_strdup_printf ( "%s://%s:%d/%s", access_method, server, port, service );
heading = g_strdup_printf ( /* Translators: %s is a path to a database or any other url,
like mysql://[email protected]/somedb, http://www.somequotes.com/thequotes */
_("Enter a user name and password to connect to: %s"),
db_path );
password_found = gnc_get_username_password ( parent, heading,
*user, NULL,
user, password );
g_free ( db_path );
g_free ( heading );
if ( password_found )
{
/* User entered new user/password information
* Let's try to add it to a password store.
*/
gchar *newuser = g_strdup( *user );
gchar *newpassword = g_strdup( *password );
gnc_keyring_set_password ( access_method,
server,
port,
service,
newuser,
newpassword );
g_free ( newuser );
g_free ( newpassword );
}
}
return password_found;
}
/* Implementation of OSXKeychain.findInternetPassword(). See the Java docs for
* explanations of the parameters.
*/
JNIEXPORT jstring JNICALL Java_com_mcdermottroe_apple_OSXKeychain__1findInternetPassword(JNIEnv* env, jobject obj, jstring serverName, jstring securityDomain, jstring accountName, jstring path, jint port) {
OSStatus status;
jstring_unpacked server_name;
jstring_unpacked security_domain;
jstring_unpacked account_name;
jstring_unpacked server_path;
jstring result = NULL;
/* This is the password buffer which will be used by
* SecKeychainFindInternetPassword
*/
void* password;
UInt32 password_length;
/* Query the keychain */
status = SecKeychainSetPreferenceDomain(kSecPreferencesDomainUser);
if (status != errSecSuccess) {
throw_osxkeychainexception(env, status);
return NULL;
}
/* Unpack all the jstrings into useful structures. */
jstring_unpack(env, serverName, &server_name);
jstring_unpack(env, securityDomain, &security_domain);
jstring_unpack(env, accountName, &account_name);
jstring_unpack(env, path, &server_path);
if (server_name.str == NULL ||
security_domain.str == NULL ||
account_name.str == NULL ||
server_path.str == NULL) {
jstring_unpacked_free(env, serverName, &server_name);
jstring_unpacked_free(env, securityDomain, &security_domain);
jstring_unpacked_free(env, accountName, &account_name);
jstring_unpacked_free(env, path, &server_path);
return NULL;
}
status = SecKeychainFindInternetPassword(
NULL,
server_name.len,
server_name.str,
security_domain.len,
security_domain.str,
account_name.len,
account_name.str,
server_path.len,
server_path.str,
port,
kSecProtocolTypeAny,
kSecAuthenticationTypeAny,
&password_length,
&password,
NULL
);
if (status != errSecSuccess) {
throw_osxkeychainexception(env, status);
}
else {
// the returned value from keychain is not
// null terminated, so a copy is created.
char* password_buffer = (char *) malloc(password_length+1);
memcpy(password_buffer, password, password_length);
password_buffer[password_length] = 0;
/* Create the return value. */
result = (*env)->NewStringUTF(env, password_buffer);
/* Clean up. */
bzero(password_buffer, password_length);
free(password_buffer);
SecKeychainItemFreeContent(NULL, password);
}
jstring_unpacked_free(env, serverName, &server_name);
jstring_unpacked_free(env, securityDomain, &security_domain);
jstring_unpacked_free(env, accountName, &account_name);
jstring_unpacked_free(env, path, &server_path);
return result;
}
void SG_password__set(
SG_context *pCtx,
const char *szRepoSpec,
SG_string *pUserName,
SG_string *pPassword)
{
const char *username, *password;
SG_string *path = NULL;
SG_string *server = NULL;
SecProtocolType proto;
SG_uint32 port;
SG_bool isValid = SG_FALSE;
OSStatus saveRes, findRes;
SecKeychainItemRef item = NULL;
SG_NULLARGCHECK(pUserName);
SG_NULLARGCHECK(pPassword);
SG_NULLARGCHECK(szRepoSpec);
username = SG_string__sz(pUserName);
password = SG_string__sz(pPassword);
SG_ERR_CHECK( _sg_password__parse_url(pCtx, szRepoSpec,
&isValid, &proto, &server, &path, &port) );
if (! isValid)
SG_ERR_THROW(SG_ERR_NOTIMPLEMENTED);
findRes = SecKeychainFindInternetPassword(
NULL,
SG_STRLEN( SG_string__sz(server) ), SG_string__sz(server),
0, NULL,
SG_STRLEN(username), username,
SG_STRLEN( SG_string__sz(path) ), SG_string__sz(path),
port, proto, kSecAuthenticationTypeDefault,
NULL, NULL,
&item);
if (findRes == errSecSuccess)
{
saveRes = SecKeychainItemModifyAttributesAndData(item, NULL, SG_STRLEN(password), password);
}
else
{
saveRes = SecKeychainAddInternetPassword(
NULL,
SG_STRLEN( SG_string__sz(server) ), SG_string__sz(server),
0, NULL,
SG_STRLEN(username), username,
SG_STRLEN( SG_string__sz(path) ), SG_string__sz(path),
port, proto, kSecAuthenticationTypeDefault,
SG_STRLEN(password), password,
NULL);
}
if (saveRes != errSecSuccess)
_SG_THROW_MAC_SEC_ERROR(saveRes);
fail:
if (item)
CFRelease(item);
SG_STRING_NULLFREE(pCtx, path);
SG_STRING_NULLFREE(pCtx, server);
}
VALUE internet_password_for(VALUE self, VALUE data) {
VALUE ret = Qnil;
CHECK_FETCH_HASH_KEY(account)
CHECK_FETCH_HASH_KEY(protocol)
CHECK_FETCH_HASH_KEY(server)
VALUE sym_auth = rb_eval_string(":auth");
VALUE auth;
if (!rb_funcall(data, rb_intern("has_key?"), 1, sym_auth)) {
auth = 0;
} else {
auth = rb_funcall(rb_funcall(data, rb_intern("fetch"), 1, sym_auth), rb_intern("to_s"), 0);
auth = String2FourChar(StringValuePtr(auth));
}
VALUE sym_port = rb_eval_string(":port");
VALUE port;
if (!rb_funcall(data, rb_intern("has_key?"), 1, sym_port)) {
port = 0;
} else {
port = rb_funcall(rb_funcall(data, rb_intern("fetch"), 1, sym_port), rb_intern("to_i"), 0);
port = NUM2INT(port);
}
VALUE sym_path = rb_eval_string(":path");
VALUE path;
if (!rb_funcall(data, rb_intern("has_key?"), 1, sym_path)) {
path = rb_str_new2("");
} else {
path = rb_funcall(rb_funcall(data, rb_intern("fetch"), 1, sym_path), rb_intern("to_s"), 0);
}
char *passwordData = nil; // will be allocated and filled in by SecKeychainFindGenericPassword
UInt32 passwordLength = nil;
OSStatus status = SecKeychainFindInternetPassword (
NULL, // default keychain
strlen(StringValuePtr(server)), // length of serverName
StringValuePtr(server), // serverName
0, // length of domain
NULL, // no domain
strlen(StringValuePtr(account)), // length of account name
StringValuePtr(account), // account name
strlen(StringValuePtr(path)), // length of path
StringValuePtr(path), // path
port, // ignore port
String2FourChar(StringValuePtr(protocol)), // protocol
auth,
&passwordLength,
&passwordData,
NULL
);
if (status == noErr) {
((char*)passwordData)[passwordLength] = '\0'; // Should this be necessary?
ret = rb_str_new2(passwordData);
SecKeychainItemFreeContent(NULL, passwordData);
} else if (status == errSecItemNotFound) {
ret = Qnil;
} else if (status == errSecAuthFailed) {
rb_raise(rb_eSecurityError, "Authorisation failed");
} else {
rb_raise(rb_eStandardError, getStatusString(status));
}
return ret;
}
VALUE destroy_internet_password_for(VALUE self, VALUE data) {
CHECK_FETCH_HASH_KEY(account)
CHECK_FETCH_HASH_KEY(protocol)
CHECK_FETCH_HASH_KEY(server)
VALUE sym_auth = rb_eval_string(":auth");
VALUE auth;
if (!rb_funcall(data, rb_intern("has_key?"), 1, sym_auth)) {
auth = 0;
} else {
auth = rb_funcall(rb_funcall(data, rb_intern("fetch"), 1, sym_auth), rb_intern("to_s"), 0);
auth = String2FourChar(StringValuePtr(auth));
}
VALUE sym_port = rb_eval_string(":port");
VALUE port;
if (!rb_funcall(data, rb_intern("has_key?"), 1, sym_port)) {
port = 0;
} else {
port = rb_funcall(rb_funcall(data, rb_intern("fetch"), 1, sym_port), rb_intern("to_i"), 0);
port = NUM2INT(port);
}
VALUE sym_path = rb_eval_string(":path");
VALUE path;
if (!rb_funcall(data, rb_intern("has_key?"), 1, sym_path)) {
path = rb_str_new2("");
} else {
path = rb_funcall(rb_funcall(data, rb_intern("fetch"), 1, sym_path), rb_intern("to_s"), 0);
}
SecKeychainItemRef itemRef = nil;
OSStatus status = SecKeychainFindInternetPassword (
NULL, // default keychain
strlen(StringValuePtr(server)), // length of serverName
StringValuePtr(server), // serverName
0, // length of domain
NULL, // no domain
strlen(StringValuePtr(account)), // length of account name
StringValuePtr(account), // account name
strlen(StringValuePtr(path)), // length of path
StringValuePtr(path), // path
port, // ignore port
String2FourChar(StringValuePtr(protocol)), // protocol
auth,
nil,
nil,
&itemRef
);
if (status != noErr || !itemRef)
return Qfalse;
status = SecKeychainItemDelete(itemRef);
return status == noErr ? Qtrue : Qfalse;
}
VALUE set_internet_password_for(VALUE self, VALUE data) {
VALUE ret = Qfalse;
CHECK_FETCH_HASH_KEY(account)
CHECK_FETCH_HASH_KEY(protocol)
CHECK_FETCH_HASH_KEY(server)
CHECK_FETCH_HASH_KEY(password)
VALUE sym_auth = rb_eval_string(":auth");
VALUE auth;
if (!rb_funcall(data, rb_intern("has_key?"), 1, sym_auth)) {
auth = kSecAuthenticationTypeDefault;
} else {
auth = rb_funcall(rb_funcall(data, rb_intern("fetch"), 1, sym_auth), rb_intern("to_s"), 0);
auth = String2FourChar(StringValuePtr(auth));
}
VALUE sym_port = rb_eval_string(":port");
VALUE port;
if (!rb_funcall(data, rb_intern("has_key?"), 1, sym_port)) {
port = 0;
} else {
port = rb_funcall(rb_funcall(data, rb_intern("fetch"), 1, sym_port), rb_intern("to_i"), 0);
port = NUM2INT(port);
}
VALUE sym_path = rb_eval_string(":path");
VALUE path;
if (!rb_funcall(data, rb_intern("has_key?"), 1, sym_path)) {
path = rb_str_new2("");
} else {
path = rb_funcall(rb_funcall(data, rb_intern("fetch"), 1, sym_path), rb_intern("to_s"), 0);
}
OSStatus status = SecKeychainAddInternetPassword (
NULL, // default keychain
strlen(StringValuePtr(server)), // length of serverName
StringValuePtr(server), // serverName
0, // length of domain
NULL, // no domain
strlen(StringValuePtr(account)), // length of account name
StringValuePtr(account), // account name
strlen(StringValuePtr(path)), // length of path
StringValuePtr(path), // path
port, // ignore port
String2FourChar(StringValuePtr(protocol)), // protocol
auth, // auth type
strlen(StringValuePtr(password)),
StringValuePtr(password),
NULL
);
if (status == noErr) {
ret = Qtrue;
} else if (status == errSecDuplicateItem) {
// Try updating instead
SecKeychainItemRef itemRef = nil;
status = SecKeychainFindInternetPassword (
NULL, // default keychain
strlen(StringValuePtr(server)), // length of serverName
StringValuePtr(server), // serverName
0, // length of domain
NULL, // no domain
strlen(StringValuePtr(account)), // length of account name
StringValuePtr(account), // account name
strlen(StringValuePtr(path)), // length of path
StringValuePtr(path), // path
port, // ignore port
String2FourChar(StringValuePtr(protocol)), // protocol
auth,
nil,
nil,
&itemRef
);
if (status != noErr)
rb_raise(rb_eStandardError, getStatusString(status));
status = SecKeychainItemModifyAttributesAndData (
itemRef, // the item reference
NULL, // no change to attributes
strlen(StringValuePtr(password)), // length of password
StringValuePtr(password) // pointer to password data
);
if (status != noErr)
rb_raise(rb_eStandardError, getStatusString(status));
ret = Qtrue;
} else {
rb_raise(rb_eStandardError, getStatusString(status));
}
return ret;
}
