rpms/gnome-keyring
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

- Update to 2.31.92

Browse Source
This commit is contained in:
Tomas Bzatek 2010-09-13 14:32:26 +02:00
parent 6974d55cdf
commit 5a880a0a73
10 changed files with 19 additions and 2137 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,2 +1,3 @@
gnome-keyring-2.31.4.tar.bz2
/gnome-keyring-2.31.91.tar.bz2
/gnome-keyring-2.31.92.tar.bz2

1361
gnome-keyring-2.30.0-better-error-handling.patch
View File

File diff suppressed because it is too large Load Diff

259
gnome-keyring-2.30.0-dont-save-session-keyring-to-disk.patch
View File

@ -1,259 +0,0 @@
From d30630070b2e7f6173ea872f45bb47b70948e796 Mon Sep 17 00:00:00 2001
From: Stef Walter <stef@memberwebs.com>
Date: Sat, 20 Mar 2010 02:19:44 +0000
Subject: [secret-store] Don't save session keyring to disk.
There was a major problem where the session keyring was being saved
to disk, and since it had to master password, as a cleartext keyring
Mark the session keyring as transient so it doesn't even come near
the storage code. Also rework the collection storage code, so that
it properly handles various corner cases.
Fixes bug #612977
---
diff --git a/pkcs11/gck/gck-object.c b/pkcs11/gck/gck-object.c
index a568042..a2d03e2 100644
--- a/pkcs11/gck/gck-object.c
+++ b/pkcs11/gck/gck-object.c
@@ -41,7 +41,8 @@ enum {
PROP_MODULE,
PROP_MANAGER,
PROP_STORE,
- PROP_UNIQUE
+ PROP_UNIQUE,
+ PROP_TRANSIENT
};
enum {
@@ -201,6 +202,13 @@ find_credential (GckCredential *cred, GckObject *object, gpointer user_data)
return TRUE;
}
+static void
+mark_object_transient (GckObject *self)
+{
+ if (!self->pv->transient)
+ self->pv->transient = g_slice_new0 (GckObjectTransient);
+}
+
/* -----------------------------------------------------------------------------
* OBJECT
*/
@@ -337,7 +345,7 @@ gck_object_real_create_attributes (GckObject *self, GckSession *session,
CKA_G_DESTRUCT_IDLE, CKA_GNOME_TRANSIENT, G_MAXULONG);
if (transient) {
- self->pv->transient = g_slice_new0 (GckObjectTransient);
+ mark_object_transient (self);
self->pv->transient->timed_after = after;
self->pv->transient->timed_idle = idle;
}
@@ -481,6 +489,11 @@ gck_object_set_property (GObject *obj, guint prop_id, const GValue *value,
g_return_if_fail (!self->pv->unique);
self->pv->unique = g_value_dup_string (value);
break;
+ case PROP_TRANSIENT:
+ g_return_if_fail (!self->pv->transient);
+ if (g_value_get_boolean (value))
+ mark_object_transient (self);
+ break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (obj, prop_id, pspec);
break;
@@ -510,6 +523,9 @@ gck_object_get_property (GObject *obj, guint prop_id, GValue *value,
case PROP_UNIQUE:
g_value_set_string (value, gck_object_get_unique (self));
break;
+ case PROP_TRANSIENT:
+ g_value_set_boolean (value, gck_object_is_transient (self));
+ break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (obj, prop_id, pspec);
break;
@@ -556,7 +572,11 @@ gck_object_class_init (GckObjectClass *klass)
g_object_class_install_property (gobject_class, PROP_UNIQUE,
g_param_spec_string ("unique", "Unique Identifer", "Machine unique identifier",
NULL, G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));
-
+
+ g_object_class_install_property (gobject_class, PROP_TRANSIENT,
+ g_param_spec_boolean ("transient", "Transient Object", "Transient Object",
+ FALSE, G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));
+
signals[EXPOSE_OBJECT] = g_signal_new ("expose-object", GCK_TYPE_OBJECT,
G_SIGNAL_RUN_FIRST, G_STRUCT_OFFSET (GckObjectClass, expose_object),
NULL, NULL, g_cclosure_marshal_VOID__BOOLEAN,
diff --git a/pkcs11/secret-store/gck-secret-module.c b/pkcs11/secret-store/gck-secret-module.c
index 5b08008..c3cba91 100644
--- a/pkcs11/secret-store/gck-secret-module.c
+++ b/pkcs11/secret-store/gck-secret-module.c
@@ -42,10 +42,7 @@ struct _GckSecretModule {
GckFileTracker *tracker;
GHashTable *collections;
gchar *directory;
-
- /* Special 'session' keyring */
GckCredential *session_credential;
- GckSecretCollection *session_collection;
};
static const CK_SLOT_INFO gck_secret_module_slot_info = {
@@ -301,42 +298,52 @@ gck_secret_module_real_refresh_token (GckModule *base)
}
static void
+gck_secret_module_real_add_object (GckModule *module, GckTransaction *transaction,
+ GckObject *object)
+{
+ GckSecretModule *self = GCK_SECRET_MODULE (module);
+ GckSecretCollection *collection;
+ const gchar *identifier;
+ gchar *filename;
+
+ g_return_if_fail (!gck_transaction_get_failed (transaction));
+
+ if (GCK_IS_SECRET_COLLECTION (object)) {
+ collection = GCK_SECRET_COLLECTION (object);
+
+ /* Setup a filename for this collection */
+ identifier = gck_secret_object_get_identifier (GCK_SECRET_OBJECT (collection));
+ filename = identifier_to_new_filename (self, identifier);
+ gck_secret_collection_set_filename (collection, filename);
+ g_free (filename);
+
+ add_collection (self, transaction, collection);
+ }
+}
+
+static void
gck_secret_module_real_store_object (GckModule *module, GckTransaction *transaction,
GckObject *object)
{
GckSecretModule *self = GCK_SECRET_MODULE (module);
GckSecretCollection *collection = NULL;
- const gchar *identifier;
- gchar *filename;
- /* Storing an item */
+ /* Store the item's collection */
if (GCK_IS_SECRET_ITEM (object)) {
collection = gck_secret_item_get_collection (GCK_SECRET_ITEM (object));
g_return_if_fail (GCK_IS_SECRET_COLLECTION (collection));
+ gck_module_store_token_object (GCK_MODULE (self), transaction, GCK_OBJECT (collection));
/* Storing a collection */
} else if (GCK_IS_SECRET_COLLECTION (object)) {
collection = GCK_SECRET_COLLECTION (object);
- }
+ gck_secret_collection_save (collection, transaction);
/* No other kind of token object */
- if (collection == NULL) {
+ } else {
g_warning ("can't store object of type '%s' on secret token", G_OBJECT_TYPE_NAME (object));
gck_transaction_fail (transaction, CKR_GENERAL_ERROR);
- return;
- }
-
- /* Setup a filename for this collection */
- if (!gck_secret_collection_get_filename (collection)) {
- identifier = gck_secret_object_get_identifier (GCK_SECRET_OBJECT (collection));
- filename = identifier_to_new_filename (self, identifier);
- gck_secret_collection_set_filename (collection, filename);
- g_free (filename);
}
-
- gck_secret_collection_save (collection, transaction);
- if (!gck_transaction_get_failed (transaction))
- add_collection (self, transaction, collection);
}
static void
@@ -351,11 +358,6 @@ gck_secret_module_real_remove_object (GckModule *module, GckTransaction *transac
GCK_OBJECT (self->session_credential) == object)
return;
- /* Ignore the session keyring collection */
- if (self->session_collection != NULL &&
- GCK_OBJECT (self->session_collection) == object)
- return;
-
/* Removing an item */
if (GCK_IS_SECRET_ITEM (object)) {
collection = gck_secret_item_get_collection (GCK_SECRET_ITEM (object));
@@ -384,6 +386,7 @@ gck_secret_module_constructor (GType type, guint n_props, GObjectConstructParam
{
GckSecretModule *self = GCK_SECRET_MODULE (G_OBJECT_CLASS (gck_secret_module_parent_class)->constructor(type, n_props, props));
GckManager *manager;
+ GckObject *collection;
CK_RV rv;
g_return_val_if_fail (self, NULL);
@@ -401,22 +404,27 @@ gck_secret_module_constructor (GType type, guint n_props, GObjectConstructParam
manager = gck_module_get_manager (GCK_MODULE (self));
+ collection = g_object_new (GCK_TYPE_SECRET_COLLECTION,
+ "module", self,
+ "identifier", "session",
+ "manager", manager,
+ "transient", TRUE,
+ NULL);
+
/* Create the 'session' keyring, which is not stored to disk */
- self->session_collection = g_object_new (GCK_TYPE_SECRET_COLLECTION,
- "module", self,
- "identifier", "session",
- "manager", manager,
- NULL);
- gck_object_expose (GCK_OBJECT (self->session_collection), TRUE);
+ g_return_val_if_fail (gck_object_is_transient (collection), NULL);
+ gck_module_add_token_object (GCK_MODULE (self), NULL, collection);
+ gck_object_expose (collection, TRUE);
/* Unlock the 'session' keyring */
- rv = gck_credential_create (GCK_MODULE (self), manager, GCK_OBJECT (self->session_collection),
+ rv = gck_credential_create (GCK_MODULE (self), manager, GCK_OBJECT (collection),
NULL, 0, &self->session_credential);
if (rv == CKR_OK)
gck_object_expose (GCK_OBJECT (self->session_credential), TRUE);
else
g_warning ("couldn't unlock the 'session' keyring");
+ g_object_unref (collection);
return G_OBJECT (self);
}
@@ -438,10 +446,6 @@ gck_secret_module_dispose (GObject *obj)
g_object_unref (self->tracker);
self->tracker = NULL;
- if (self->session_collection)
- g_object_unref (self->session_collection);
- self->session_collection = NULL;
-
if (self->session_credential)
g_object_unref (self->session_credential);
self->session_credential = NULL;
@@ -465,7 +469,6 @@ gck_secret_module_finalize (GObject *obj)
self->directory = NULL;
g_assert (!self->session_credential);
- g_assert (!self->session_collection);
G_OBJECT_CLASS (gck_secret_module_parent_class)->finalize (obj);
}
@@ -484,8 +487,9 @@ gck_secret_module_class_init (GckSecretModuleClass *klass)
module_class->get_token_info = gck_secret_module_real_get_token_info;
module_class->parse_argument = gck_secret_module_real_parse_argument;
module_class->refresh_token = gck_secret_module_real_refresh_token;
- module_class->remove_token_object = gck_secret_module_real_remove_object;
+ module_class->add_token_object = gck_secret_module_real_add_object;
module_class->store_token_object = gck_secret_module_real_store_object;
+ module_class->remove_token_object = gck_secret_module_real_remove_object;
}
/* ---------------------------------------------------------------------------------------
--
cgit v0.8.3.1

335
gnome-keyring-2.30.0-fix-storing-autounlock.patch
View File

@ -1,335 +0,0 @@
From d864698a290c55d1ccda5cc20946894ade5e827d Mon Sep 17 00:00:00 2001
From: Stef Walter <stef@memberwebs.com>
Date: Sun, 21 Mar 2010 15:55:51 +0000
Subject: [login] Fix various issues storing and using auto unlock passwords.
* Unwrap secrets directly into login keyring for auto unlock.
* Fix various corner cases using auto unlock stuff in login keyring.
---
diff --git a/daemon/dbus/gkd-secret-session.c b/daemon/dbus/gkd-secret-session.c
index 80cd054..73551df 100644
--- a/daemon/dbus/gkd-secret-session.c
+++ b/daemon/dbus/gkd-secret-session.c
@@ -730,6 +730,8 @@ gkd_secret_session_create_credential (GkdSecretSession *self, GP11Session *sessi
}
g_clear_error (&error);
return NULL;
+ } else {
+ gp11_object_set_session (object, session);
}
return object;
diff --git a/daemon/dbus/gkd-secret-unlock.c b/daemon/dbus/gkd-secret-unlock.c
index 8a70ddc..f5df63b 100644
--- a/daemon/dbus/gkd-secret-unlock.c
+++ b/daemon/dbus/gkd-secret-unlock.c
@@ -247,43 +247,35 @@ check_locked_collection (GP11Object *collection, gboolean *locked)
}
static void
-attach_credential_to_login (GP11Object *collection, GP11Object *cred)
+attach_unlock_to_login (GP11Object *collection, GkdSecretSecret *master)
{
- GError *error = NULL;
+ DBusError derr = DBUS_ERROR_INIT;
GP11Attributes *attrs;
- gpointer value;
- gsize n_value;
+ GP11Object *cred;
gchar *location;
gchar *label;
g_assert (GP11_IS_OBJECT (collection));
- g_assert (GP11_IS_OBJECT (cred));
+ /* Relevant information for the unlock item */
attrs = attributes_for_collection (collection);
g_return_if_fail (attrs);
-
location = location_string_for_attributes (attrs);
label = label_string_for_attributes (attrs);
gp11_attributes_unref (attrs);
- value = gp11_object_get_data_full (cred, CKA_VALUE, egg_secure_realloc, NULL, &n_value, &error);
- if (value) {
- if (g_utf8_validate (value, n_value, NULL))
- gkd_login_attach_secret (label, value, "keyring", location, NULL);
- else
- g_warning ("couldn't save non utf-8 unlock credentials in login keyring");
- egg_secure_clear (value, n_value);
- egg_secure_free (value);
-
- } else {
- if (!g_error_matches (error, GP11_ERROR, CKR_USER_NOT_LOGGED_IN))
- g_warning ("couldn't read unlock credentials to save in login keyring: %s",
- egg_error_message (error));
- g_clear_error (&error);
- }
-
+ attrs = gkd_login_attach_make_attributes (label, "keyring", location, NULL);
g_free (location);
g_free (label);
+
+ cred = gkd_secret_session_create_credential (master->session, NULL, attrs, master, &derr);
+ gp11_attributes_unref (attrs);
+ g_object_unref (cred);
+
+ if (!cred) {
+ g_warning ("couldn't save unlock password in login collection: %s", derr.message);
+ dbus_error_free (&derr);
+ }
}
static void
@@ -304,6 +296,7 @@ authenticate_collection (GkdSecretUnlock *self, GP11Object *collection, gboolean
GP11Attribute *attr;
GP11Object *cred;
gboolean transient;
+ gboolean result;
g_assert (GKD_SECRET_IS_UNLOCK (self));
g_assert (GP11_IS_OBJECT (collection));
@@ -336,35 +329,37 @@ authenticate_collection (GkdSecretUnlock *self, GP11Object *collection, gboolean
}
cred = gkd_secret_session_create_credential (master->session, NULL, template, master, &derr);
- gkd_secret_secret_free (master);
+ g_object_unref (cred);
if (cred) {
/* Save it to the login keyring */
if (!transient)
- attach_credential_to_login (collection, cred);
- g_object_unref (cred);
+ attach_unlock_to_login (collection, master);
/* Save away the unlock options for next time */
gp11_object_set_template (collection, CKA_G_CREDENTIAL_TEMPLATE, template, NULL);
gp11_attributes_unref (template);
*locked = FALSE;
- return TRUE; /* Operation succeeded, and unlocked */
+ result = TRUE; /* Operation succeeded, and unlocked */
} else {
gp11_attributes_unref (template);
if (dbus_error_has_name (&derr, INTERNAL_ERROR_DENIED)) {
dbus_error_free (&derr);
*locked = TRUE;
- return TRUE; /* Operation succeded, although not unlocked*/
+ result = TRUE; /* Operation succeded, although not unlocked*/
} else {
g_warning ("couldn't create credential for collection: %s",
derr.message);
dbus_error_free (&derr);
- return FALSE; /* Operation failed */
+ result = FALSE; /* Operation failed */
}
}
+
+ gkd_secret_secret_free (master);
+ return result;
}
/* -----------------------------------------------------------------------------
diff --git a/daemon/login/gkd-login.c b/daemon/login/gkd-login.c
index bdef57d..373561c 100644
--- a/daemon/login/gkd-login.c
+++ b/daemon/login/gkd-login.c
@@ -77,7 +77,9 @@ open_and_login_session (GP11Slot *slot, CK_USER_TYPE user_type, GError **error)
session = gp11_slot_open_session (slot, CKF_RW_SESSION, error);
if (session != NULL) {
if (!gp11_session_login (session, user_type, NULL, 0, error)) {
- if ((*error)->code != CKR_USER_ALREADY_LOGGED_IN) {
+ if (g_error_matches (*error, GP11_ERROR, CKR_USER_ALREADY_LOGGED_IN)) {
+ g_clear_error (error);
+ } else {
g_object_unref (session);
session = NULL;
}
@@ -574,20 +576,88 @@ find_login_keyring_item (GP11Session *session, GP11Attribute *fields)
return item;
}
+static GP11Attributes*
+attach_make_attributes_va (GP11Session *session, const gchar *label,
+ const gchar *first, va_list va)
+{
+ GP11Attributes *attrs;
+ GP11Attribute fields;
+ gchar *display_name;
+ GP11Object* item;
+ GError *error = NULL;
+ gpointer value;
+ gsize n_value;
+
+ attrs = gp11_attributes_new ();
+
+ gp11_attribute_init_empty (&fields, CKA_G_FIELDS);
+ string_attribute_list_va (va, first, &fields);
+
+ /*
+ * If there already is such an item, then include its identifier.
+ * What this does is overwrite that item, rather than creating new.
+ */
+ item = find_login_keyring_item (session, &fields);
+ if (item) {
+ value = gp11_object_get_data (item, CKA_ID, &n_value, &error);
+ if (value != NULL) {
+ gp11_attributes_add_data (attrs, CKA_ID, value, n_value);
+ g_free (value);
+ } else {
+ g_warning ("couldn't retrieve id for previous login item: %s",
+ egg_error_message (error));
+ g_clear_error (&error);
+ }
+ g_object_unref (item);
+ }
+
+ if (label == NULL)
+ label = _("Unnamed");
+
+ display_name = g_strdup_printf (_("Unlock password for: %s"), label);
+ gp11_attributes_add_string (attrs, CKA_LABEL, display_name);
+
+ gp11_attributes_add_boolean (attrs, CKA_TOKEN, TRUE);
+ gp11_attributes_add_ulong (attrs, CKA_CLASS, CKO_SECRET_KEY);
+ gp11_attributes_add_data (attrs, CKA_G_COLLECTION, "login", (gsize)5);
+ gp11_attributes_add (attrs, &fields);
+
+ gp11_attribute_clear (&fields);
+ return attrs;
+}
+
+GP11Attributes*
+gkd_login_attach_make_attributes (const gchar *label, const gchar *first, ...)
+{
+ GP11Attributes *attrs;
+ GP11Session *session;
+ GP11Module *module;
+ va_list va;
+
+ module = module_instance ();
+ session = lookup_login_session (module);
+
+ va_start (va, first);
+ attrs = attach_make_attributes_va (session, label, first, va);
+ va_end (va);
+
+ g_object_unref (session);
+ g_object_unref (module);
+
+ return attrs;
+}
+
void
gkd_login_attach_secret (const gchar *label, const gchar *secret,
const gchar *first, ...)
{
GError *error = NULL;
- GP11Attribute fields;
GP11Session *session;
GP11Module *module;
- gchar *display_name;
- GP11Object* item;
+ GP11Attributes *attrs;
+ GP11Object *item;
va_list va;
- if (label == NULL)
- label = _("Unnamed");
if (secret == NULL)
secret = "";
@@ -595,29 +665,11 @@ gkd_login_attach_secret (const gchar *label, const gchar *secret,
session = lookup_login_session (module);
va_start(va, first);
- gp11_attribute_init_empty (&fields, CKA_G_FIELDS);
- string_attribute_list_va (va, first, &fields);
+ attrs = attach_make_attributes_va (session, label, first, va);
va_end(va);
- display_name = g_strdup_printf (_("Unlock password for: %s"), label);
-
- item = find_login_keyring_item (session, &fields);
- if (item) {
- gp11_object_set (item, &error,
- CKA_LABEL, strlen (display_name), display_name,
- CKA_VALUE, strlen (secret), secret,
- GP11_INVALID);
- } else {
- item = gp11_session_create_object (session, &error,
- CKA_TOKEN, GP11_BOOLEAN, TRUE,
- CKA_CLASS, GP11_ULONG, CKO_SECRET_KEY,
- CKA_LABEL, strlen (display_name), display_name,
- CKA_VALUE, strlen (secret), secret,
- CKA_G_COLLECTION, (gsize)5, "login",
- CKA_G_FIELDS, fields.length, fields.value,
- GP11_INVALID);
- }
-
+ gp11_attributes_add_string (attrs, CKA_VALUE, secret);
+ item = gp11_session_create_object_full (session, attrs, NULL, &error);
if (error != NULL) {
g_warning ("couldn't store secret in login keyring: %s", egg_error_message (error));
g_clear_error (&error);
@@ -625,8 +677,8 @@ gkd_login_attach_secret (const gchar *label, const gchar *secret,
if (item)
g_object_unref (item);
- g_free (display_name);
- gp11_attribute_clear (&fields);
+
+ gp11_attributes_unref (attrs);
g_object_unref (session);
g_object_unref (module);
}
@@ -701,22 +753,3 @@ gkd_login_remove_secret (const gchar *first, ...)
g_object_unref (session);
g_object_unref (module);
}
-
-GP11Attributes*
-gkd_login_attributes_for_secret (const gchar *first, ...)
-{
- GP11Attributes *attrs;
- GP11Attribute *fields;
- va_list va;
-
- attrs = gp11_attributes_newv (CKA_CLASS, GP11_ULONG, CKO_SECRET_KEY,
- CKA_G_COLLECTION, (gsize)5, "login",
- GP11_INVALID);
-
- va_start(va, first);
- fields = gp11_attributes_add_empty (attrs, CKA_G_FIELDS);
- string_attribute_list_va (va, first, fields);
- va_end(va);
-
- return attrs;
-}
diff --git a/daemon/login/gkd-login.h b/daemon/login/gkd-login.h
index 89157b1..849b9f4 100644
--- a/daemon/login/gkd-login.h
+++ b/daemon/login/gkd-login.h
@@ -40,13 +40,14 @@ void gkd_login_attach_secret (const gchar *label,
const gchar *first,
...);
-gchar* gkd_login_lookup_secret (const gchar *first,
+GP11Attributes* gkd_login_attach_make_attributes (const gchar *label,
+ const gchar *first,
...);
-void gkd_login_remove_secret (const gchar *first,
+gchar* gkd_login_lookup_secret (const gchar *first,
...);
-GP11Attributes* gkd_login_attributes_for_secret (const gchar *first,
+void gkd_login_remove_secret (const gchar *first,
...);
#endif /* __GKD_LOGIN_H__ */
--
cgit v0.8.3.1

26
gnome-keyring-2.30.0-hide-automaticall-unlock.patch
View File

@ -1,26 +0,0 @@
From 0512a0b5a30b432f53ee8c48d75acd582c5c9c9d Mon Sep 17 00:00:00 2001
From: Stef Walter <stef@memberwebs.com>
Date: Sun, 21 Mar 2010 14:24:33 +0000
Subject: [dbus] Hide the automatically unlock check when login not usable.
If the login keyring is locked or not present, hide the auto
unlock check box since that option isn't usable.
---
diff --git a/daemon/dbus/gkd-secret-unlock.c b/daemon/dbus/gkd-secret-unlock.c
index 52e4978..8a70ddc 100644
--- a/daemon/dbus/gkd-secret-unlock.c
+++ b/daemon/dbus/gkd-secret-unlock.c
@@ -200,6 +200,11 @@ prepare_unlock_prompt (GkdSecretUnlock *self, GP11Object *coll, gboolean first)
g_free (label);
+ if (gkd_login_is_usable ())
+ gkd_prompt_show_widget (prompt, "auto_unlock_check");
+ else
+ gkd_prompt_hide_widget (prompt, "auto_unlock_check");
+
/* Setup the unlock options */
if (first) {
template = gp11_object_get_template (coll, CKA_G_CREDENTIAL_TEMPLATE, &error);
--
cgit v0.8.3.1

52
gnome-keyring-2.30.0-unlocking-when-unavailable.patch
View File

@ -1,52 +0,0 @@
From e43a24701767d1a8fd72f2f3ed01fe0937364b6d Mon Sep 17 00:00:00 2001
From: Stef Walter <stef@memberwebs.com>
Date: Sun, 21 Mar 2010 14:06:43 +0000
Subject: [dbus] Allow unlocking even when always unlock is not available.
When the Always Unlock option could not work (due to a missing or
locked login keyring) unlocking a keyring fail when that option
was selected.
Fixes bug #610998
---
diff --git a/daemon/dbus/gkd-secret-unlock.c b/daemon/dbus/gkd-secret-unlock.c
index ee17fd1..52e4978 100644
--- a/daemon/dbus/gkd-secret-unlock.c
+++ b/daemon/dbus/gkd-secret-unlock.c
@@ -271,8 +271,9 @@ attach_credential_to_login (GP11Object *collection, GP11Object *cred)
egg_secure_free (value);
} else {
- g_warning ("couldn't read unlock credentials to save in login keyring: %s",
- egg_error_message (error));
+ if (!g_error_matches (error, GP11_ERROR, CKR_USER_NOT_LOGGED_IN))
+ g_warning ("couldn't read unlock credentials to save in login keyring: %s",
+ egg_error_message (error));
g_clear_error (&error);
}
@@ -295,6 +296,7 @@ authenticate_collection (GkdSecretUnlock *self, GP11Object *collection, gboolean
DBusError derr = DBUS_ERROR_INIT;
GkdSecretSecret *master;
GP11Attributes *template;
+ GP11Attribute *attr;
GP11Object *cred;
gboolean transient;
@@ -321,8 +323,12 @@ authenticate_collection (GkdSecretUnlock *self, GP11Object *collection, gboolean
gkd_prompt_get_unlock_options (GKD_PROMPT (self), template);
/* If it's supposed to save non-transient, then we override that */
- if (!gp11_attributes_find_boolean (template, CKA_GNOME_TRANSIENT, &transient))
- transient = TRUE;
+ attr = gp11_attributes_find (template, CKA_GNOME_TRANSIENT);
+ if (attr != NULL) {
+ transient = gp11_attribute_get_boolean (attr);
+ gp11_attribute_clear (attr);
+ gp11_attribute_init_boolean (attr, CKA_GNOME_TRANSIENT, TRUE);
+ }
cred = gkd_secret_session_create_credential (master->session, NULL, template, master, &derr);
gkd_secret_secret_free (master);
--
cgit v0.8.3.1

67
gnome-keyring-2.31.5-ssh-agent-unlock.patch
View File

@ -1,67 +0,0 @@
From 629fecbd61c8585a2bc95e2fcb059de260c34fb8 Mon Sep 17 00:00:00 2001
From: Stef Walter <stef@memberwebs.com>
Date: Sun, 11 Jul 2010 23:18:23 +0000
Subject: [ssh-agent] Try to unlock key before use.
* This allows us to keep the unlocking for the rest of the session.
* Restores behavior from gnome-keyring 2.30 and before.
---
diff --git a/daemon/ssh-agent/gkd-ssh-agent-ops.c b/daemon/ssh-agent/gkd-ssh-agent-ops.c
index 759a06a..dc02245 100644
--- a/daemon/ssh-agent/gkd-ssh-agent-ops.c
+++ b/daemon/ssh-agent/gkd-ssh-agent-ops.c
@@ -892,6 +892,42 @@ make_raw_sign_hash (GChecksumType algo, const guchar *data, gsize n_data,
return hash;
}
+static guchar*
+unlock_and_sign (GP11Session *session, GP11Object *key, gulong mech_type, const guchar *input,
+ gsize n_input, gsize *n_result, GError **err)
+{
+ GP11Attributes *attrs;
+ GP11Object *cred;
+ gboolean always;
+
+ /* First check if we should authenticate the key */
+ attrs = gp11_object_get (key, err, CKA_ALWAYS_AUTHENTICATE, GP11_INVALID);
+ if (!attrs)
+ return NULL;
+
+ /* Authenticate the key if necessary, this allows long term */
+ if (!gp11_attributes_find_boolean (attrs, CKA_ALWAYS_AUTHENTICATE, &always))
+ g_return_val_if_reached (NULL);
+
+ gp11_attributes_unref (attrs);
+
+ if (always == TRUE) {
+ cred = gp11_session_create_object (session, err,
+ CKA_TOKEN, GP11_BOOLEAN, FALSE,
+ CKA_CLASS, GP11_ULONG, CKO_G_CREDENTIAL,
+ CKA_VALUE, 0, NULL,
+ CKA_G_OBJECT, GP11_ULONG, gp11_object_get_handle (key),
+ GP11_INVALID);
+ if (cred == NULL)
+ return NULL;
+
+ g_object_unref (cred);
+ }
+
+ /* Do the magic */
+ return gp11_session_sign (session, key, mech_type, input, n_input, n_result, err);
+}
+
static gboolean
op_sign_request (GkdSshAgentCall *call)
{
@@ -961,8 +997,7 @@ op_sign_request (GkdSshAgentCall *call)
session = gp11_object_get_session (key);
g_return_val_if_fail (session, FALSE);
- /* Do the magic */
- result = gp11_session_sign (session, key, mech, hash, n_hash, &n_result, &error);
+ result = unlock_and_sign (session, key, mech, hash, n_hash, &n_result, &error);
g_object_unref (session);
g_object_unref (key);
--
cgit v0.8.3.1

41
gnome-keyring.spec
View File

@ -1,4 +1,4 @@
%define glib2_version 2.16.0
%define glib2_version 2.25.0
%define gtk2_version 2.20.0
%define dbus_version 1.0
%define hal_version 0.5.7
@ -7,7 +7,7 @@
Summary: Framework for managing passwords and other secrets
Name: gnome-keyring
Version: 2.31.91
Version: 2.31.92
Release: 1%{?dist}
License: GPLv2+ and LGPLv2+
Group: System Environment/Libraries
@ -15,22 +15,13 @@ Group: System Environment/Libraries
Source: http://download.gnome.org/sources/gnome-keyring/2.31/gnome-keyring-%{version}.tar.bz2
URL: http://www.gnome.org
# https://bugzilla.gnome.org/show_bug.cgi?id=628457
Patch0: pam-headers.patch
# http://bugzilla.redhat.com/529709
# http://bugs.gnome.org/598494
Patch3: gnome-keyring-2.28.1-nopass.patch
# Bug 611642 - gnome-keyring isn't staying unlocked
# https://bugzilla.redhat.com/show_bug.cgi?id=611642
Patch4: gnome-keyring-2.31.5-ssh-agent-unlock.patch
BuildRequires: glib2-devel >= %{glib2_version}
BuildRequires: gtk2-devel >= %{gtk2_version}
BuildRequires: GConf2-devel
BuildRequires: dbus-devel >= %{dbus_version}
BuildRequires: libgcrypt-devel >= %{gcrypt_version}
BuildRequires: libtasn1-devel >= %{libtasn1_version}
@ -40,9 +31,6 @@ BuildRequires: gettext
BuildRequires: intltool
BuildRequires: libtasn1-tools
BuildRequires: libgnome-keyring-devel
Requires(pre): GConf2
Requires(preun): GConf2
Requires(post): GConf2
# for smooth transition since the core was split
Requires: libgnome-keyring
@ -79,8 +67,7 @@ automatically unlock the "login" keyring when the user logs in.
%prep
%setup -q -n gnome-keyring-%{version}
%patch0 -p1 -b .pam-headers
%patch3 -p1 -b .no-pass
# Enable daemon autostart in XFCE
for i in daemon/*.desktop.in.in; do
@ -94,7 +81,8 @@ autoreconf -i -f
%configure --disable-gtk-doc \
--with-pam-dir=/%{_lib}/security \
--disable-acl-prompts \
--enable-pam
--enable-pam \
--with-gtk=2.0
# avoid unneeded direct dependencies
sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0 /g' libtool
@ -102,9 +90,7 @@ sed -i -e 's/ -shared / -Wl,-O1,--as-needed\0 /g' libtool
make %{?_smp_mflags}
%install
export GCONF_DISABLE_MAKEFILE_SCHEMA_INSTALL=1
make install DESTDIR=$RPM_BUILD_ROOT
unset GCONF_DISABLE_MAKEFILE_SCHEMA_INSTALL
rm $RPM_BUILD_ROOT/%{_lib}/security/*.la
rm $RPM_BUILD_ROOT%{_libdir}/*.la
@ -117,13 +103,15 @@ rm $RPM_BUILD_ROOT%{_libdir}/gnome-keyring/standalone/*.la
%post
/sbin/ldconfig
%pre
%gconf_schema_obsolete gnome-keyring
%postun
/sbin/ldconfig
if [ $1 -eq 0 ]; then
glib-compile-schemas %{_datadir}/glib-2.0/schemas
fi
%preun
%gconf_schema_remove gnome-keyring
%posttrans
glib-compile-schemas %{_datadir}/glib-2.0/schemas
%postun -p /sbin/ldconfig
%files -f gnome-keyring.lang
%defattr(-, root, root)
@ -141,6 +129,8 @@ rm $RPM_BUILD_ROOT%{_libdir}/gnome-keyring/standalone/*.la
%{_datadir}/gcr
%{_datadir}/gnome-keyring
%{_sysconfdir}/xdg/autostart/*
%{_datadir}/GConf/gsettings/*.convert
%{_datadir}/glib-2.0/schemas/*.gschema.xml
%files devel
%defattr(-, root, root)
@ -155,6 +145,9 @@ rm $RPM_BUILD_ROOT%{_libdir}/gnome-keyring/standalone/*.la
%changelog
* Mon Sep 13 2010 Tomas Bzatek <tbzatek@redhat.com> - 2.31.92-1
- Update to 2.31.92
* Tue Aug 31 2010 Matthias Clasen <mclasen@redhat.com> - 2.31.91-1
- Update to 2.31.91

12
pam-headers.patch
View File

@ -1,12 +0,0 @@
diff -up gnome-keyring-2.31.91/configure.in.pam-headers gnome-keyring-2.31.91/configure.in
--- gnome-keyring-2.31.91/configure.in.pam-headers 2010-08-31 19:23:16.091743002 -0400
+++ gnome-keyring-2.31.91/configure.in 2010-08-31 19:23:44.418743001 -0400
@@ -251,7 +251,7 @@ AC_ARG_ENABLE(pam,
pam_status="no"
if test "$enable_pam" != "no"; then
- AC_CHECK_HEADERS(security/pam_modules.h pam/pam_modules.h, have_pam=yes, have_pam=no)
+ AC_CHECK_HEADERS(security/pam_modules.h pam/pam_modules.h, [have_pam=yes; break], have_pam=no)
if test "$enable_pam" = "yes" -a "$have_pam" = "no"; then
AC_MSG_ERROR(The PAM headers are missing)
elif test "$have_pam" = "yes"; then

2
sources
View File

@ -1 +1 @@
8abae3120341351a66e0ccd9cacf5218 gnome-keyring-2.31.91.tar.bz2
666ce443754505ccae6d047348c8d1ea gnome-keyring-2.31.92.tar.bz2