- More robust error display and handling
- [secret-store] Don't save session keyring to disk - [dbus] Allow unlocking even when always unlock is not available - [dbus] Hide the automatically unlock check when login not usable - [login] Fix various issues storing and using auto unlock passwords
This commit is contained in:
parent
de0f5c62f4
commit
9db95ed3a2
1361
gnome-keyring-2.30.0-better-error-handling.patch
Normal file
1361
gnome-keyring-2.30.0-better-error-handling.patch
Normal file
File diff suppressed because it is too large
Load Diff
259
gnome-keyring-2.30.0-dont-save-session-keyring-to-disk.patch
Normal file
259
gnome-keyring-2.30.0-dont-save-session-keyring-to-disk.patch
Normal file
@ -0,0 +1,259 @@
|
||||
From d30630070b2e7f6173ea872f45bb47b70948e796 Mon Sep 17 00:00:00 2001
|
||||
From: Stef Walter <stef@memberwebs.com>
|
||||
Date: Sat, 20 Mar 2010 02:19:44 +0000
|
||||
Subject: [secret-store] Don't save session keyring to disk.
|
||||
|
||||
There was a major problem where the session keyring was being saved
|
||||
to disk, and since it had to master password, as a cleartext keyring
|
||||
|
||||
Mark the session keyring as transient so it doesn't even come near
|
||||
the storage code. Also rework the collection storage code, so that
|
||||
it properly handles various corner cases.
|
||||
|
||||
Fixes bug #612977
|
||||
---
|
||||
diff --git a/pkcs11/gck/gck-object.c b/pkcs11/gck/gck-object.c
|
||||
index a568042..a2d03e2 100644
|
||||
--- a/pkcs11/gck/gck-object.c
|
||||
+++ b/pkcs11/gck/gck-object.c
|
||||
@@ -41,7 +41,8 @@ enum {
|
||||
PROP_MODULE,
|
||||
PROP_MANAGER,
|
||||
PROP_STORE,
|
||||
- PROP_UNIQUE
|
||||
+ PROP_UNIQUE,
|
||||
+ PROP_TRANSIENT
|
||||
};
|
||||
|
||||
enum {
|
||||
@@ -201,6 +202,13 @@ find_credential (GckCredential *cred, GckObject *object, gpointer user_data)
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
+static void
|
||||
+mark_object_transient (GckObject *self)
|
||||
+{
|
||||
+ if (!self->pv->transient)
|
||||
+ self->pv->transient = g_slice_new0 (GckObjectTransient);
|
||||
+}
|
||||
+
|
||||
/* -----------------------------------------------------------------------------
|
||||
* OBJECT
|
||||
*/
|
||||
@@ -337,7 +345,7 @@ gck_object_real_create_attributes (GckObject *self, GckSession *session,
|
||||
CKA_G_DESTRUCT_IDLE, CKA_GNOME_TRANSIENT, G_MAXULONG);
|
||||
|
||||
if (transient) {
|
||||
- self->pv->transient = g_slice_new0 (GckObjectTransient);
|
||||
+ mark_object_transient (self);
|
||||
self->pv->transient->timed_after = after;
|
||||
self->pv->transient->timed_idle = idle;
|
||||
}
|
||||
@@ -481,6 +489,11 @@ gck_object_set_property (GObject *obj, guint prop_id, const GValue *value,
|
||||
g_return_if_fail (!self->pv->unique);
|
||||
self->pv->unique = g_value_dup_string (value);
|
||||
break;
|
||||
+ case PROP_TRANSIENT:
|
||||
+ g_return_if_fail (!self->pv->transient);
|
||||
+ if (g_value_get_boolean (value))
|
||||
+ mark_object_transient (self);
|
||||
+ break;
|
||||
default:
|
||||
G_OBJECT_WARN_INVALID_PROPERTY_ID (obj, prop_id, pspec);
|
||||
break;
|
||||
@@ -510,6 +523,9 @@ gck_object_get_property (GObject *obj, guint prop_id, GValue *value,
|
||||
case PROP_UNIQUE:
|
||||
g_value_set_string (value, gck_object_get_unique (self));
|
||||
break;
|
||||
+ case PROP_TRANSIENT:
|
||||
+ g_value_set_boolean (value, gck_object_is_transient (self));
|
||||
+ break;
|
||||
default:
|
||||
G_OBJECT_WARN_INVALID_PROPERTY_ID (obj, prop_id, pspec);
|
||||
break;
|
||||
@@ -556,7 +572,11 @@ gck_object_class_init (GckObjectClass *klass)
|
||||
g_object_class_install_property (gobject_class, PROP_UNIQUE,
|
||||
g_param_spec_string ("unique", "Unique Identifer", "Machine unique identifier",
|
||||
NULL, G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));
|
||||
-
|
||||
+
|
||||
+ g_object_class_install_property (gobject_class, PROP_TRANSIENT,
|
||||
+ g_param_spec_boolean ("transient", "Transient Object", "Transient Object",
|
||||
+ FALSE, G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));
|
||||
+
|
||||
signals[EXPOSE_OBJECT] = g_signal_new ("expose-object", GCK_TYPE_OBJECT,
|
||||
G_SIGNAL_RUN_FIRST, G_STRUCT_OFFSET (GckObjectClass, expose_object),
|
||||
NULL, NULL, g_cclosure_marshal_VOID__BOOLEAN,
|
||||
diff --git a/pkcs11/secret-store/gck-secret-module.c b/pkcs11/secret-store/gck-secret-module.c
|
||||
index 5b08008..c3cba91 100644
|
||||
--- a/pkcs11/secret-store/gck-secret-module.c
|
||||
+++ b/pkcs11/secret-store/gck-secret-module.c
|
||||
@@ -42,10 +42,7 @@ struct _GckSecretModule {
|
||||
GckFileTracker *tracker;
|
||||
GHashTable *collections;
|
||||
gchar *directory;
|
||||
-
|
||||
- /* Special 'session' keyring */
|
||||
GckCredential *session_credential;
|
||||
- GckSecretCollection *session_collection;
|
||||
};
|
||||
|
||||
static const CK_SLOT_INFO gck_secret_module_slot_info = {
|
||||
@@ -301,42 +298,52 @@ gck_secret_module_real_refresh_token (GckModule *base)
|
||||
}
|
||||
|
||||
static void
|
||||
+gck_secret_module_real_add_object (GckModule *module, GckTransaction *transaction,
|
||||
+ GckObject *object)
|
||||
+{
|
||||
+ GckSecretModule *self = GCK_SECRET_MODULE (module);
|
||||
+ GckSecretCollection *collection;
|
||||
+ const gchar *identifier;
|
||||
+ gchar *filename;
|
||||
+
|
||||
+ g_return_if_fail (!gck_transaction_get_failed (transaction));
|
||||
+
|
||||
+ if (GCK_IS_SECRET_COLLECTION (object)) {
|
||||
+ collection = GCK_SECRET_COLLECTION (object);
|
||||
+
|
||||
+ /* Setup a filename for this collection */
|
||||
+ identifier = gck_secret_object_get_identifier (GCK_SECRET_OBJECT (collection));
|
||||
+ filename = identifier_to_new_filename (self, identifier);
|
||||
+ gck_secret_collection_set_filename (collection, filename);
|
||||
+ g_free (filename);
|
||||
+
|
||||
+ add_collection (self, transaction, collection);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
gck_secret_module_real_store_object (GckModule *module, GckTransaction *transaction,
|
||||
GckObject *object)
|
||||
{
|
||||
GckSecretModule *self = GCK_SECRET_MODULE (module);
|
||||
GckSecretCollection *collection = NULL;
|
||||
- const gchar *identifier;
|
||||
- gchar *filename;
|
||||
|
||||
- /* Storing an item */
|
||||
+ /* Store the item's collection */
|
||||
if (GCK_IS_SECRET_ITEM (object)) {
|
||||
collection = gck_secret_item_get_collection (GCK_SECRET_ITEM (object));
|
||||
g_return_if_fail (GCK_IS_SECRET_COLLECTION (collection));
|
||||
+ gck_module_store_token_object (GCK_MODULE (self), transaction, GCK_OBJECT (collection));
|
||||
|
||||
/* Storing a collection */
|
||||
} else if (GCK_IS_SECRET_COLLECTION (object)) {
|
||||
collection = GCK_SECRET_COLLECTION (object);
|
||||
- }
|
||||
+ gck_secret_collection_save (collection, transaction);
|
||||
|
||||
/* No other kind of token object */
|
||||
- if (collection == NULL) {
|
||||
+ } else {
|
||||
g_warning ("can't store object of type '%s' on secret token", G_OBJECT_TYPE_NAME (object));
|
||||
gck_transaction_fail (transaction, CKR_GENERAL_ERROR);
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
- /* Setup a filename for this collection */
|
||||
- if (!gck_secret_collection_get_filename (collection)) {
|
||||
- identifier = gck_secret_object_get_identifier (GCK_SECRET_OBJECT (collection));
|
||||
- filename = identifier_to_new_filename (self, identifier);
|
||||
- gck_secret_collection_set_filename (collection, filename);
|
||||
- g_free (filename);
|
||||
}
|
||||
-
|
||||
- gck_secret_collection_save (collection, transaction);
|
||||
- if (!gck_transaction_get_failed (transaction))
|
||||
- add_collection (self, transaction, collection);
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -351,11 +358,6 @@ gck_secret_module_real_remove_object (GckModule *module, GckTransaction *transac
|
||||
GCK_OBJECT (self->session_credential) == object)
|
||||
return;
|
||||
|
||||
- /* Ignore the session keyring collection */
|
||||
- if (self->session_collection != NULL &&
|
||||
- GCK_OBJECT (self->session_collection) == object)
|
||||
- return;
|
||||
-
|
||||
/* Removing an item */
|
||||
if (GCK_IS_SECRET_ITEM (object)) {
|
||||
collection = gck_secret_item_get_collection (GCK_SECRET_ITEM (object));
|
||||
@@ -384,6 +386,7 @@ gck_secret_module_constructor (GType type, guint n_props, GObjectConstructParam
|
||||
{
|
||||
GckSecretModule *self = GCK_SECRET_MODULE (G_OBJECT_CLASS (gck_secret_module_parent_class)->constructor(type, n_props, props));
|
||||
GckManager *manager;
|
||||
+ GckObject *collection;
|
||||
CK_RV rv;
|
||||
|
||||
g_return_val_if_fail (self, NULL);
|
||||
@@ -401,22 +404,27 @@ gck_secret_module_constructor (GType type, guint n_props, GObjectConstructParam
|
||||
|
||||
manager = gck_module_get_manager (GCK_MODULE (self));
|
||||
|
||||
+ collection = g_object_new (GCK_TYPE_SECRET_COLLECTION,
|
||||
+ "module", self,
|
||||
+ "identifier", "session",
|
||||
+ "manager", manager,
|
||||
+ "transient", TRUE,
|
||||
+ NULL);
|
||||
+
|
||||
/* Create the 'session' keyring, which is not stored to disk */
|
||||
- self->session_collection = g_object_new (GCK_TYPE_SECRET_COLLECTION,
|
||||
- "module", self,
|
||||
- "identifier", "session",
|
||||
- "manager", manager,
|
||||
- NULL);
|
||||
- gck_object_expose (GCK_OBJECT (self->session_collection), TRUE);
|
||||
+ g_return_val_if_fail (gck_object_is_transient (collection), NULL);
|
||||
+ gck_module_add_token_object (GCK_MODULE (self), NULL, collection);
|
||||
+ gck_object_expose (collection, TRUE);
|
||||
|
||||
/* Unlock the 'session' keyring */
|
||||
- rv = gck_credential_create (GCK_MODULE (self), manager, GCK_OBJECT (self->session_collection),
|
||||
+ rv = gck_credential_create (GCK_MODULE (self), manager, GCK_OBJECT (collection),
|
||||
NULL, 0, &self->session_credential);
|
||||
if (rv == CKR_OK)
|
||||
gck_object_expose (GCK_OBJECT (self->session_credential), TRUE);
|
||||
else
|
||||
g_warning ("couldn't unlock the 'session' keyring");
|
||||
|
||||
+ g_object_unref (collection);
|
||||
return G_OBJECT (self);
|
||||
}
|
||||
|
||||
@@ -438,10 +446,6 @@ gck_secret_module_dispose (GObject *obj)
|
||||
g_object_unref (self->tracker);
|
||||
self->tracker = NULL;
|
||||
|
||||
- if (self->session_collection)
|
||||
- g_object_unref (self->session_collection);
|
||||
- self->session_collection = NULL;
|
||||
-
|
||||
if (self->session_credential)
|
||||
g_object_unref (self->session_credential);
|
||||
self->session_credential = NULL;
|
||||
@@ -465,7 +469,6 @@ gck_secret_module_finalize (GObject *obj)
|
||||
self->directory = NULL;
|
||||
|
||||
g_assert (!self->session_credential);
|
||||
- g_assert (!self->session_collection);
|
||||
|
||||
G_OBJECT_CLASS (gck_secret_module_parent_class)->finalize (obj);
|
||||
}
|
||||
@@ -484,8 +487,9 @@ gck_secret_module_class_init (GckSecretModuleClass *klass)
|
||||
module_class->get_token_info = gck_secret_module_real_get_token_info;
|
||||
module_class->parse_argument = gck_secret_module_real_parse_argument;
|
||||
module_class->refresh_token = gck_secret_module_real_refresh_token;
|
||||
- module_class->remove_token_object = gck_secret_module_real_remove_object;
|
||||
+ module_class->add_token_object = gck_secret_module_real_add_object;
|
||||
module_class->store_token_object = gck_secret_module_real_store_object;
|
||||
+ module_class->remove_token_object = gck_secret_module_real_remove_object;
|
||||
}
|
||||
|
||||
/* ---------------------------------------------------------------------------------------
|
||||
--
|
||||
cgit v0.8.3.1
|
335
gnome-keyring-2.30.0-fix-storing-autounlock.patch
Normal file
335
gnome-keyring-2.30.0-fix-storing-autounlock.patch
Normal file
@ -0,0 +1,335 @@
|
||||
From d864698a290c55d1ccda5cc20946894ade5e827d Mon Sep 17 00:00:00 2001
|
||||
From: Stef Walter <stef@memberwebs.com>
|
||||
Date: Sun, 21 Mar 2010 15:55:51 +0000
|
||||
Subject: [login] Fix various issues storing and using auto unlock passwords.
|
||||
|
||||
* Unwrap secrets directly into login keyring for auto unlock.
|
||||
* Fix various corner cases using auto unlock stuff in login keyring.
|
||||
---
|
||||
diff --git a/daemon/dbus/gkd-secret-session.c b/daemon/dbus/gkd-secret-session.c
|
||||
index 80cd054..73551df 100644
|
||||
--- a/daemon/dbus/gkd-secret-session.c
|
||||
+++ b/daemon/dbus/gkd-secret-session.c
|
||||
@@ -730,6 +730,8 @@ gkd_secret_session_create_credential (GkdSecretSession *self, GP11Session *sessi
|
||||
}
|
||||
g_clear_error (&error);
|
||||
return NULL;
|
||||
+ } else {
|
||||
+ gp11_object_set_session (object, session);
|
||||
}
|
||||
|
||||
return object;
|
||||
diff --git a/daemon/dbus/gkd-secret-unlock.c b/daemon/dbus/gkd-secret-unlock.c
|
||||
index 8a70ddc..f5df63b 100644
|
||||
--- a/daemon/dbus/gkd-secret-unlock.c
|
||||
+++ b/daemon/dbus/gkd-secret-unlock.c
|
||||
@@ -247,43 +247,35 @@ check_locked_collection (GP11Object *collection, gboolean *locked)
|
||||
}
|
||||
|
||||
static void
|
||||
-attach_credential_to_login (GP11Object *collection, GP11Object *cred)
|
||||
+attach_unlock_to_login (GP11Object *collection, GkdSecretSecret *master)
|
||||
{
|
||||
- GError *error = NULL;
|
||||
+ DBusError derr = DBUS_ERROR_INIT;
|
||||
GP11Attributes *attrs;
|
||||
- gpointer value;
|
||||
- gsize n_value;
|
||||
+ GP11Object *cred;
|
||||
gchar *location;
|
||||
gchar *label;
|
||||
|
||||
g_assert (GP11_IS_OBJECT (collection));
|
||||
- g_assert (GP11_IS_OBJECT (cred));
|
||||
|
||||
+ /* Relevant information for the unlock item */
|
||||
attrs = attributes_for_collection (collection);
|
||||
g_return_if_fail (attrs);
|
||||
-
|
||||
location = location_string_for_attributes (attrs);
|
||||
label = label_string_for_attributes (attrs);
|
||||
gp11_attributes_unref (attrs);
|
||||
|
||||
- value = gp11_object_get_data_full (cred, CKA_VALUE, egg_secure_realloc, NULL, &n_value, &error);
|
||||
- if (value) {
|
||||
- if (g_utf8_validate (value, n_value, NULL))
|
||||
- gkd_login_attach_secret (label, value, "keyring", location, NULL);
|
||||
- else
|
||||
- g_warning ("couldn't save non utf-8 unlock credentials in login keyring");
|
||||
- egg_secure_clear (value, n_value);
|
||||
- egg_secure_free (value);
|
||||
-
|
||||
- } else {
|
||||
- if (!g_error_matches (error, GP11_ERROR, CKR_USER_NOT_LOGGED_IN))
|
||||
- g_warning ("couldn't read unlock credentials to save in login keyring: %s",
|
||||
- egg_error_message (error));
|
||||
- g_clear_error (&error);
|
||||
- }
|
||||
-
|
||||
+ attrs = gkd_login_attach_make_attributes (label, "keyring", location, NULL);
|
||||
g_free (location);
|
||||
g_free (label);
|
||||
+
|
||||
+ cred = gkd_secret_session_create_credential (master->session, NULL, attrs, master, &derr);
|
||||
+ gp11_attributes_unref (attrs);
|
||||
+ g_object_unref (cred);
|
||||
+
|
||||
+ if (!cred) {
|
||||
+ g_warning ("couldn't save unlock password in login collection: %s", derr.message);
|
||||
+ dbus_error_free (&derr);
|
||||
+ }
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -304,6 +296,7 @@ authenticate_collection (GkdSecretUnlock *self, GP11Object *collection, gboolean
|
||||
GP11Attribute *attr;
|
||||
GP11Object *cred;
|
||||
gboolean transient;
|
||||
+ gboolean result;
|
||||
|
||||
g_assert (GKD_SECRET_IS_UNLOCK (self));
|
||||
g_assert (GP11_IS_OBJECT (collection));
|
||||
@@ -336,35 +329,37 @@ authenticate_collection (GkdSecretUnlock *self, GP11Object *collection, gboolean
|
||||
}
|
||||
|
||||
cred = gkd_secret_session_create_credential (master->session, NULL, template, master, &derr);
|
||||
- gkd_secret_secret_free (master);
|
||||
+ g_object_unref (cred);
|
||||
|
||||
if (cred) {
|
||||
/* Save it to the login keyring */
|
||||
if (!transient)
|
||||
- attach_credential_to_login (collection, cred);
|
||||
- g_object_unref (cred);
|
||||
+ attach_unlock_to_login (collection, master);
|
||||
|
||||
/* Save away the unlock options for next time */
|
||||
gp11_object_set_template (collection, CKA_G_CREDENTIAL_TEMPLATE, template, NULL);
|
||||
gp11_attributes_unref (template);
|
||||
|
||||
*locked = FALSE;
|
||||
- return TRUE; /* Operation succeeded, and unlocked */
|
||||
+ result = TRUE; /* Operation succeeded, and unlocked */
|
||||
|
||||
} else {
|
||||
gp11_attributes_unref (template);
|
||||
if (dbus_error_has_name (&derr, INTERNAL_ERROR_DENIED)) {
|
||||
dbus_error_free (&derr);
|
||||
*locked = TRUE;
|
||||
- return TRUE; /* Operation succeded, although not unlocked*/
|
||||
+ result = TRUE; /* Operation succeded, although not unlocked*/
|
||||
|
||||
} else {
|
||||
g_warning ("couldn't create credential for collection: %s",
|
||||
derr.message);
|
||||
dbus_error_free (&derr);
|
||||
- return FALSE; /* Operation failed */
|
||||
+ result = FALSE; /* Operation failed */
|
||||
}
|
||||
}
|
||||
+
|
||||
+ gkd_secret_secret_free (master);
|
||||
+ return result;
|
||||
}
|
||||
|
||||
/* -----------------------------------------------------------------------------
|
||||
diff --git a/daemon/login/gkd-login.c b/daemon/login/gkd-login.c
|
||||
index bdef57d..373561c 100644
|
||||
--- a/daemon/login/gkd-login.c
|
||||
+++ b/daemon/login/gkd-login.c
|
||||
@@ -77,7 +77,9 @@ open_and_login_session (GP11Slot *slot, CK_USER_TYPE user_type, GError **error)
|
||||
session = gp11_slot_open_session (slot, CKF_RW_SESSION, error);
|
||||
if (session != NULL) {
|
||||
if (!gp11_session_login (session, user_type, NULL, 0, error)) {
|
||||
- if ((*error)->code != CKR_USER_ALREADY_LOGGED_IN) {
|
||||
+ if (g_error_matches (*error, GP11_ERROR, CKR_USER_ALREADY_LOGGED_IN)) {
|
||||
+ g_clear_error (error);
|
||||
+ } else {
|
||||
g_object_unref (session);
|
||||
session = NULL;
|
||||
}
|
||||
@@ -574,20 +576,88 @@ find_login_keyring_item (GP11Session *session, GP11Attribute *fields)
|
||||
return item;
|
||||
}
|
||||
|
||||
+static GP11Attributes*
|
||||
+attach_make_attributes_va (GP11Session *session, const gchar *label,
|
||||
+ const gchar *first, va_list va)
|
||||
+{
|
||||
+ GP11Attributes *attrs;
|
||||
+ GP11Attribute fields;
|
||||
+ gchar *display_name;
|
||||
+ GP11Object* item;
|
||||
+ GError *error = NULL;
|
||||
+ gpointer value;
|
||||
+ gsize n_value;
|
||||
+
|
||||
+ attrs = gp11_attributes_new ();
|
||||
+
|
||||
+ gp11_attribute_init_empty (&fields, CKA_G_FIELDS);
|
||||
+ string_attribute_list_va (va, first, &fields);
|
||||
+
|
||||
+ /*
|
||||
+ * If there already is such an item, then include its identifier.
|
||||
+ * What this does is overwrite that item, rather than creating new.
|
||||
+ */
|
||||
+ item = find_login_keyring_item (session, &fields);
|
||||
+ if (item) {
|
||||
+ value = gp11_object_get_data (item, CKA_ID, &n_value, &error);
|
||||
+ if (value != NULL) {
|
||||
+ gp11_attributes_add_data (attrs, CKA_ID, value, n_value);
|
||||
+ g_free (value);
|
||||
+ } else {
|
||||
+ g_warning ("couldn't retrieve id for previous login item: %s",
|
||||
+ egg_error_message (error));
|
||||
+ g_clear_error (&error);
|
||||
+ }
|
||||
+ g_object_unref (item);
|
||||
+ }
|
||||
+
|
||||
+ if (label == NULL)
|
||||
+ label = _("Unnamed");
|
||||
+
|
||||
+ display_name = g_strdup_printf (_("Unlock password for: %s"), label);
|
||||
+ gp11_attributes_add_string (attrs, CKA_LABEL, display_name);
|
||||
+
|
||||
+ gp11_attributes_add_boolean (attrs, CKA_TOKEN, TRUE);
|
||||
+ gp11_attributes_add_ulong (attrs, CKA_CLASS, CKO_SECRET_KEY);
|
||||
+ gp11_attributes_add_data (attrs, CKA_G_COLLECTION, "login", (gsize)5);
|
||||
+ gp11_attributes_add (attrs, &fields);
|
||||
+
|
||||
+ gp11_attribute_clear (&fields);
|
||||
+ return attrs;
|
||||
+}
|
||||
+
|
||||
+GP11Attributes*
|
||||
+gkd_login_attach_make_attributes (const gchar *label, const gchar *first, ...)
|
||||
+{
|
||||
+ GP11Attributes *attrs;
|
||||
+ GP11Session *session;
|
||||
+ GP11Module *module;
|
||||
+ va_list va;
|
||||
+
|
||||
+ module = module_instance ();
|
||||
+ session = lookup_login_session (module);
|
||||
+
|
||||
+ va_start (va, first);
|
||||
+ attrs = attach_make_attributes_va (session, label, first, va);
|
||||
+ va_end (va);
|
||||
+
|
||||
+ g_object_unref (session);
|
||||
+ g_object_unref (module);
|
||||
+
|
||||
+ return attrs;
|
||||
+}
|
||||
+
|
||||
void
|
||||
gkd_login_attach_secret (const gchar *label, const gchar *secret,
|
||||
const gchar *first, ...)
|
||||
{
|
||||
GError *error = NULL;
|
||||
- GP11Attribute fields;
|
||||
GP11Session *session;
|
||||
GP11Module *module;
|
||||
- gchar *display_name;
|
||||
- GP11Object* item;
|
||||
+ GP11Attributes *attrs;
|
||||
+ GP11Object *item;
|
||||
va_list va;
|
||||
|
||||
- if (label == NULL)
|
||||
- label = _("Unnamed");
|
||||
if (secret == NULL)
|
||||
secret = "";
|
||||
|
||||
@@ -595,29 +665,11 @@ gkd_login_attach_secret (const gchar *label, const gchar *secret,
|
||||
session = lookup_login_session (module);
|
||||
|
||||
va_start(va, first);
|
||||
- gp11_attribute_init_empty (&fields, CKA_G_FIELDS);
|
||||
- string_attribute_list_va (va, first, &fields);
|
||||
+ attrs = attach_make_attributes_va (session, label, first, va);
|
||||
va_end(va);
|
||||
|
||||
- display_name = g_strdup_printf (_("Unlock password for: %s"), label);
|
||||
-
|
||||
- item = find_login_keyring_item (session, &fields);
|
||||
- if (item) {
|
||||
- gp11_object_set (item, &error,
|
||||
- CKA_LABEL, strlen (display_name), display_name,
|
||||
- CKA_VALUE, strlen (secret), secret,
|
||||
- GP11_INVALID);
|
||||
- } else {
|
||||
- item = gp11_session_create_object (session, &error,
|
||||
- CKA_TOKEN, GP11_BOOLEAN, TRUE,
|
||||
- CKA_CLASS, GP11_ULONG, CKO_SECRET_KEY,
|
||||
- CKA_LABEL, strlen (display_name), display_name,
|
||||
- CKA_VALUE, strlen (secret), secret,
|
||||
- CKA_G_COLLECTION, (gsize)5, "login",
|
||||
- CKA_G_FIELDS, fields.length, fields.value,
|
||||
- GP11_INVALID);
|
||||
- }
|
||||
-
|
||||
+ gp11_attributes_add_string (attrs, CKA_VALUE, secret);
|
||||
+ item = gp11_session_create_object_full (session, attrs, NULL, &error);
|
||||
if (error != NULL) {
|
||||
g_warning ("couldn't store secret in login keyring: %s", egg_error_message (error));
|
||||
g_clear_error (&error);
|
||||
@@ -625,8 +677,8 @@ gkd_login_attach_secret (const gchar *label, const gchar *secret,
|
||||
|
||||
if (item)
|
||||
g_object_unref (item);
|
||||
- g_free (display_name);
|
||||
- gp11_attribute_clear (&fields);
|
||||
+
|
||||
+ gp11_attributes_unref (attrs);
|
||||
g_object_unref (session);
|
||||
g_object_unref (module);
|
||||
}
|
||||
@@ -701,22 +753,3 @@ gkd_login_remove_secret (const gchar *first, ...)
|
||||
g_object_unref (session);
|
||||
g_object_unref (module);
|
||||
}
|
||||
-
|
||||
-GP11Attributes*
|
||||
-gkd_login_attributes_for_secret (const gchar *first, ...)
|
||||
-{
|
||||
- GP11Attributes *attrs;
|
||||
- GP11Attribute *fields;
|
||||
- va_list va;
|
||||
-
|
||||
- attrs = gp11_attributes_newv (CKA_CLASS, GP11_ULONG, CKO_SECRET_KEY,
|
||||
- CKA_G_COLLECTION, (gsize)5, "login",
|
||||
- GP11_INVALID);
|
||||
-
|
||||
- va_start(va, first);
|
||||
- fields = gp11_attributes_add_empty (attrs, CKA_G_FIELDS);
|
||||
- string_attribute_list_va (va, first, fields);
|
||||
- va_end(va);
|
||||
-
|
||||
- return attrs;
|
||||
-}
|
||||
diff --git a/daemon/login/gkd-login.h b/daemon/login/gkd-login.h
|
||||
index 89157b1..849b9f4 100644
|
||||
--- a/daemon/login/gkd-login.h
|
||||
+++ b/daemon/login/gkd-login.h
|
||||
@@ -40,13 +40,14 @@ void gkd_login_attach_secret (const gchar *label,
|
||||
const gchar *first,
|
||||
...);
|
||||
|
||||
-gchar* gkd_login_lookup_secret (const gchar *first,
|
||||
+GP11Attributes* gkd_login_attach_make_attributes (const gchar *label,
|
||||
+ const gchar *first,
|
||||
...);
|
||||
|
||||
-void gkd_login_remove_secret (const gchar *first,
|
||||
+gchar* gkd_login_lookup_secret (const gchar *first,
|
||||
...);
|
||||
|
||||
-GP11Attributes* gkd_login_attributes_for_secret (const gchar *first,
|
||||
+void gkd_login_remove_secret (const gchar *first,
|
||||
...);
|
||||
|
||||
#endif /* __GKD_LOGIN_H__ */
|
||||
--
|
||||
cgit v0.8.3.1
|
26
gnome-keyring-2.30.0-hide-automaticall-unlock.patch
Normal file
26
gnome-keyring-2.30.0-hide-automaticall-unlock.patch
Normal file
@ -0,0 +1,26 @@
|
||||
From 0512a0b5a30b432f53ee8c48d75acd582c5c9c9d Mon Sep 17 00:00:00 2001
|
||||
From: Stef Walter <stef@memberwebs.com>
|
||||
Date: Sun, 21 Mar 2010 14:24:33 +0000
|
||||
Subject: [dbus] Hide the automatically unlock check when login not usable.
|
||||
|
||||
If the login keyring is locked or not present, hide the auto
|
||||
unlock check box since that option isn't usable.
|
||||
---
|
||||
diff --git a/daemon/dbus/gkd-secret-unlock.c b/daemon/dbus/gkd-secret-unlock.c
|
||||
index 52e4978..8a70ddc 100644
|
||||
--- a/daemon/dbus/gkd-secret-unlock.c
|
||||
+++ b/daemon/dbus/gkd-secret-unlock.c
|
||||
@@ -200,6 +200,11 @@ prepare_unlock_prompt (GkdSecretUnlock *self, GP11Object *coll, gboolean first)
|
||||
|
||||
g_free (label);
|
||||
|
||||
+ if (gkd_login_is_usable ())
|
||||
+ gkd_prompt_show_widget (prompt, "auto_unlock_check");
|
||||
+ else
|
||||
+ gkd_prompt_hide_widget (prompt, "auto_unlock_check");
|
||||
+
|
||||
/* Setup the unlock options */
|
||||
if (first) {
|
||||
template = gp11_object_get_template (coll, CKA_G_CREDENTIAL_TEMPLATE, &error);
|
||||
--
|
||||
cgit v0.8.3.1
|
52
gnome-keyring-2.30.0-unlocking-when-unavailable.patch
Normal file
52
gnome-keyring-2.30.0-unlocking-when-unavailable.patch
Normal file
@ -0,0 +1,52 @@
|
||||
From e43a24701767d1a8fd72f2f3ed01fe0937364b6d Mon Sep 17 00:00:00 2001
|
||||
From: Stef Walter <stef@memberwebs.com>
|
||||
Date: Sun, 21 Mar 2010 14:06:43 +0000
|
||||
Subject: [dbus] Allow unlocking even when always unlock is not available.
|
||||
|
||||
When the Always Unlock option could not work (due to a missing or
|
||||
locked login keyring) unlocking a keyring fail when that option
|
||||
was selected.
|
||||
|
||||
Fixes bug #610998
|
||||
---
|
||||
diff --git a/daemon/dbus/gkd-secret-unlock.c b/daemon/dbus/gkd-secret-unlock.c
|
||||
index ee17fd1..52e4978 100644
|
||||
--- a/daemon/dbus/gkd-secret-unlock.c
|
||||
+++ b/daemon/dbus/gkd-secret-unlock.c
|
||||
@@ -271,8 +271,9 @@ attach_credential_to_login (GP11Object *collection, GP11Object *cred)
|
||||
egg_secure_free (value);
|
||||
|
||||
} else {
|
||||
- g_warning ("couldn't read unlock credentials to save in login keyring: %s",
|
||||
- egg_error_message (error));
|
||||
+ if (!g_error_matches (error, GP11_ERROR, CKR_USER_NOT_LOGGED_IN))
|
||||
+ g_warning ("couldn't read unlock credentials to save in login keyring: %s",
|
||||
+ egg_error_message (error));
|
||||
g_clear_error (&error);
|
||||
}
|
||||
|
||||
@@ -295,6 +296,7 @@ authenticate_collection (GkdSecretUnlock *self, GP11Object *collection, gboolean
|
||||
DBusError derr = DBUS_ERROR_INIT;
|
||||
GkdSecretSecret *master;
|
||||
GP11Attributes *template;
|
||||
+ GP11Attribute *attr;
|
||||
GP11Object *cred;
|
||||
gboolean transient;
|
||||
|
||||
@@ -321,8 +323,12 @@ authenticate_collection (GkdSecretUnlock *self, GP11Object *collection, gboolean
|
||||
gkd_prompt_get_unlock_options (GKD_PROMPT (self), template);
|
||||
|
||||
/* If it's supposed to save non-transient, then we override that */
|
||||
- if (!gp11_attributes_find_boolean (template, CKA_GNOME_TRANSIENT, &transient))
|
||||
- transient = TRUE;
|
||||
+ attr = gp11_attributes_find (template, CKA_GNOME_TRANSIENT);
|
||||
+ if (attr != NULL) {
|
||||
+ transient = gp11_attribute_get_boolean (attr);
|
||||
+ gp11_attribute_clear (attr);
|
||||
+ gp11_attribute_init_boolean (attr, CKA_GNOME_TRANSIENT, TRUE);
|
||||
+ }
|
||||
|
||||
cred = gkd_secret_session_create_credential (master->session, NULL, template, master, &derr);
|
||||
gkd_secret_secret_free (master);
|
||||
--
|
||||
cgit v0.8.3.1
|
@ -8,7 +8,7 @@
|
||||
Summary: Framework for managing passwords and other secrets
|
||||
Name: gnome-keyring
|
||||
Version: 2.29.92
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+ and LGPLv2+
|
||||
Group: System Environment/Libraries
|
||||
Source: http://download.gnome.org/sources/gnome-keyring/2.29/gnome-keyring-%{version}.tar.bz2
|
||||
@ -17,6 +17,13 @@ Source: http://download.gnome.org/sources/gnome-keyring/2.29/gnome-keyring-%{ver
|
||||
# http://bugs.gnome.org/598494
|
||||
Patch3: gnome-keyring-2.28.1-nopass.patch
|
||||
|
||||
# from master
|
||||
Patch4: gnome-keyring-2.30.0-better-error-handling.patch
|
||||
Patch5: gnome-keyring-2.30.0-dont-save-session-keyring-to-disk.patch
|
||||
Patch6: gnome-keyring-2.30.0-unlocking-when-unavailable.patch
|
||||
Patch7: gnome-keyring-2.30.0-hide-automaticall-unlock.patch
|
||||
Patch8: gnome-keyring-2.30.0-fix-storing-autounlock.patch
|
||||
|
||||
|
||||
URL: http://www.gnome.org
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
@ -76,6 +83,11 @@ automatically unlock the "login" keyring when the user logs in.
|
||||
%prep
|
||||
%setup -q -n gnome-keyring-%{version}
|
||||
%patch3 -p1 -b .no-pass
|
||||
%patch4 -p1 -b .better-error-handling
|
||||
%patch5 -p1 -b .dont-save-session-keyring-to-disk
|
||||
%patch6 -p1 -b .unlocking-when-unavailable
|
||||
%patch7 -p1 -b .hide-automaticall-unlock
|
||||
%patch8 -p1 -b .fix-storing-autounlock
|
||||
|
||||
|
||||
%build
|
||||
@ -154,6 +166,13 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Mar 22 2010 Tomas Bzatek <tbzatek@redhat.com> - 2.29.92-2
|
||||
- More robust error display and handling
|
||||
- [secret-store] Don't save session keyring to disk
|
||||
- [dbus] Allow unlocking even when always unlock is not available
|
||||
- [dbus] Hide the automatically unlock check when login not usable
|
||||
- [login] Fix various issues storing and using auto unlock passwords
|
||||
|
||||
* Wed Mar 10 2010 Tomas Bzatek <tbzatek@redhat.com> - 2.29.92-1
|
||||
- Update to 2.29.92
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user