rpms
/
gnome-keyring
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

- More robust error display and handling 

- [secret-store] Don't save session keyring to disk
- [dbus] Allow unlocking even when always unlock is not available
- [dbus] Hide the automatically unlock check when login not usable
- [login] Fix various issues storing and using auto unlock passwords
This commit is contained in:
Tomas Bzatek 2010-03-22 14:00:10 +00:00
parent de0f5c62f4
commit 9db95ed3a2
6 changed files with 2053 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1361
gnome-keyring-2.30.0-better-error-handling.patch Normal file
View File

File diff suppressed because it is too large Load Diff

259
gnome-keyring-2.30.0-dont-save-session-keyring-to-disk.patch Normal file
View File

@ -0,0 +1,259 @@
From d30630070b2e7f6173ea872f45bb47b70948e796 Mon Sep 17 00:00:00 2001
From: Stef Walter <stef@memberwebs.com>
Date: Sat, 20 Mar 2010 02:19:44 +0000
Subject: [secret-store] Don't save session keyring to disk.
There was a major problem where the session keyring was being saved
to disk, and since it had to master password, as a cleartext keyring
Mark the session keyring as transient so it doesn't even come near
the storage code. Also rework the collection storage code, so that
it properly handles various corner cases.
Fixes bug #612977
---
diff --git a/pkcs11/gck/gck-object.c b/pkcs11/gck/gck-object.c
index a568042..a2d03e2 100644
--- a/pkcs11/gck/gck-object.c
+++ b/pkcs11/gck/gck-object.c
@@ -41,7 +41,8 @@ enum {
PROP_MODULE,
PROP_MANAGER,
PROP_STORE,
- PROP_UNIQUE
+ PROP_UNIQUE,
+ PROP_TRANSIENT
};
enum {
@@ -201,6 +202,13 @@ find_credential (GckCredential *cred, GckObject *object, gpointer user_data)
return TRUE;
}
+static void
+mark_object_transient (GckObject *self)
+{
+ if (!self->pv->transient)
+ self->pv->transient = g_slice_new0 (GckObjectTransient);
+}
+
/* -----------------------------------------------------------------------------
* OBJECT
*/
@@ -337,7 +345,7 @@ gck_object_real_create_attributes (GckObject *self, GckSession *session,
CKA_G_DESTRUCT_IDLE, CKA_GNOME_TRANSIENT, G_MAXULONG);
if (transient) {
- self->pv->transient = g_slice_new0 (GckObjectTransient);
+ mark_object_transient (self);
self->pv->transient->timed_after = after;
self->pv->transient->timed_idle = idle;
}
@@ -481,6 +489,11 @@ gck_object_set_property (GObject *obj, guint prop_id, const GValue *value,
g_return_if_fail (!self->pv->unique);
self->pv->unique = g_value_dup_string (value);
break;
+ case PROP_TRANSIENT:
+ g_return_if_fail (!self->pv->transient);
+ if (g_value_get_boolean (value))
+ mark_object_transient (self);
+ break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (obj, prop_id, pspec);
break;
@@ -510,6 +523,9 @@ gck_object_get_property (GObject *obj, guint prop_id, GValue *value,
case PROP_UNIQUE:
g_value_set_string (value, gck_object_get_unique (self));
break;
+ case PROP_TRANSIENT:
+ g_value_set_boolean (value, gck_object_is_transient (self));
+ break;
default:
G_OBJECT_WARN_INVALID_PROPERTY_ID (obj, prop_id, pspec);
break;
@@ -556,7 +572,11 @@ gck_object_class_init (GckObjectClass *klass)
g_object_class_install_property (gobject_class, PROP_UNIQUE,
g_param_spec_string ("unique", "Unique Identifer", "Machine unique identifier",
NULL, G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));
-
+
+ g_object_class_install_property (gobject_class, PROP_TRANSIENT,
+ g_param_spec_boolean ("transient", "Transient Object", "Transient Object",
+ FALSE, G_PARAM_READWRITE | G_PARAM_CONSTRUCT_ONLY));
+
signals[EXPOSE_OBJECT] = g_signal_new ("expose-object", GCK_TYPE_OBJECT,
G_SIGNAL_RUN_FIRST, G_STRUCT_OFFSET (GckObjectClass, expose_object),
NULL, NULL, g_cclosure_marshal_VOID__BOOLEAN,
diff --git a/pkcs11/secret-store/gck-secret-module.c b/pkcs11/secret-store/gck-secret-module.c
index 5b08008..c3cba91 100644
--- a/pkcs11/secret-store/gck-secret-module.c
+++ b/pkcs11/secret-store/gck-secret-module.c
@@ -42,10 +42,7 @@ struct _GckSecretModule {
GckFileTracker *tracker;
GHashTable *collections;
gchar *directory;
-
- /* Special 'session' keyring */
GckCredential *session_credential;
- GckSecretCollection *session_collection;
};
static const CK_SLOT_INFO gck_secret_module_slot_info = {
@@ -301,42 +298,52 @@ gck_secret_module_real_refresh_token (GckModule *base)
}
static void
+gck_secret_module_real_add_object (GckModule *module, GckTransaction *transaction,
+ GckObject *object)
+{
+ GckSecretModule *self = GCK_SECRET_MODULE (module);
+ GckSecretCollection *collection;
+ const gchar *identifier;
+ gchar *filename;
+
+ g_return_if_fail (!gck_transaction_get_failed (transaction));
+
+ if (GCK_IS_SECRET_COLLECTION (object)) {
+ collection = GCK_SECRET_COLLECTION (object);
+
+ /* Setup a filename for this collection */
+ identifier = gck_secret_object_get_identifier (GCK_SECRET_OBJECT (collection));
+ filename = identifier_to_new_filename (self, identifier);
+ gck_secret_collection_set_filename (collection, filename);
+ g_free (filename);
+
+ add_collection (self, transaction, collection);
+ }
+}
+
+static void
gck_secret_module_real_store_object (GckModule *module, GckTransaction *transaction,
GckObject *object)
{
GckSecretModule *self = GCK_SECRET_MODULE (module);
GckSecretCollection *collection = NULL;
- const gchar *identifier;
- gchar *filename;
- /* Storing an item */
+ /* Store the item's collection */
if (GCK_IS_SECRET_ITEM (object)) {
collection = gck_secret_item_get_collection (GCK_SECRET_ITEM (object));
g_return_if_fail (GCK_IS_SECRET_COLLECTION (collection));
+ gck_module_store_token_object (GCK_MODULE (self), transaction, GCK_OBJECT (collection));
/* Storing a collection */
} else if (GCK_IS_SECRET_COLLECTION (object)) {
collection = GCK_SECRET_COLLECTION (object);
- }
+ gck_secret_collection_save (collection, transaction);
/* No other kind of token object */
- if (collection == NULL) {
+ } else {
g_warning ("can't store object of type '%s' on secret token", G_OBJECT_TYPE_NAME (object));
gck_transaction_fail (transaction, CKR_GENERAL_ERROR);
- return;
- }
-
- /* Setup a filename for this collection */
- if (!gck_secret_collection_get_filename (collection)) {
- identifier = gck_secret_object_get_identifier (GCK_SECRET_OBJECT (collection));
- filename = identifier_to_new_filename (self, identifier);
- gck_secret_collection_set_filename (collection, filename);
- g_free (filename);
}
-
- gck_secret_collection_save (collection, transaction);
- if (!gck_transaction_get_failed (transaction))
- add_collection (self, transaction, collection);
}
static void
@@ -351,11 +358,6 @@ gck_secret_module_real_remove_object (GckModule *module, GckTransaction *transac
GCK_OBJECT (self->session_credential) == object)
return;
- /* Ignore the session keyring collection */
- if (self->session_collection != NULL &&
- GCK_OBJECT (self->session_collection) == object)
- return;
-
/* Removing an item */
if (GCK_IS_SECRET_ITEM (object)) {
collection = gck_secret_item_get_collection (GCK_SECRET_ITEM (object));
@@ -384,6 +386,7 @@ gck_secret_module_constructor (GType type, guint n_props, GObjectConstructParam
{
GckSecretModule *self = GCK_SECRET_MODULE (G_OBJECT_CLASS (gck_secret_module_parent_class)->constructor(type, n_props, props));
GckManager *manager;
+ GckObject *collection;
CK_RV rv;
g_return_val_if_fail (self, NULL);
@@ -401,22 +404,27 @@ gck_secret_module_constructor (GType type, guint n_props, GObjectConstructParam
manager = gck_module_get_manager (GCK_MODULE (self));
+ collection = g_object_new (GCK_TYPE_SECRET_COLLECTION,
+ "module", self,
+ "identifier", "session",
+ "manager", manager,
+ "transient", TRUE,
+ NULL);
+
/* Create the 'session' keyring, which is not stored to disk */
- self->session_collection = g_object_new (GCK_TYPE_SECRET_COLLECTION,
- "module", self,
- "identifier", "session",
- "manager", manager,
- NULL);
- gck_object_expose (GCK_OBJECT (self->session_collection), TRUE);
+ g_return_val_if_fail (gck_object_is_transient (collection), NULL);
+ gck_module_add_token_object (GCK_MODULE (self), NULL, collection);
+ gck_object_expose (collection, TRUE);
/* Unlock the 'session' keyring */
- rv = gck_credential_create (GCK_MODULE (self), manager, GCK_OBJECT (self->session_collection),
+ rv = gck_credential_create (GCK_MODULE (self), manager, GCK_OBJECT (collection),
NULL, 0, &self->session_credential);
if (rv == CKR_OK)
gck_object_expose (GCK_OBJECT (self->session_credential), TRUE);
else
g_warning ("couldn't unlock the 'session' keyring");
+ g_object_unref (collection);
return G_OBJECT (self);
}
@@ -438,10 +446,6 @@ gck_secret_module_dispose (GObject *obj)
g_object_unref (self->tracker);
self->tracker = NULL;
- if (self->session_collection)
- g_object_unref (self->session_collection);
- self->session_collection = NULL;
-
if (self->session_credential)
g_object_unref (self->session_credential);
self->session_credential = NULL;
@@ -465,7 +469,6 @@ gck_secret_module_finalize (GObject *obj)
self->directory = NULL;
g_assert (!self->session_credential);
- g_assert (!self->session_collection);
G_OBJECT_CLASS (gck_secret_module_parent_class)->finalize (obj);
}
@@ -484,8 +487,9 @@ gck_secret_module_class_init (GckSecretModuleClass *klass)
module_class->get_token_info = gck_secret_module_real_get_token_info;
module_class->parse_argument = gck_secret_module_real_parse_argument;
module_class->refresh_token = gck_secret_module_real_refresh_token;
- module_class->remove_token_object = gck_secret_module_real_remove_object;
+ module_class->add_token_object = gck_secret_module_real_add_object;
module_class->store_token_object = gck_secret_module_real_store_object;
+ module_class->remove_token_object = gck_secret_module_real_remove_object;
}
/* ---------------------------------------------------------------------------------------
--
cgit v0.8.3.1

335
gnome-keyring-2.30.0-fix-storing-autounlock.patch Normal file
View File

@ -0,0 +1,335 @@
From d864698a290c55d1ccda5cc20946894ade5e827d Mon Sep 17 00:00:00 2001
From: Stef Walter <stef@memberwebs.com>
Date: Sun, 21 Mar 2010 15:55:51 +0000
Subject: [login] Fix various issues storing and using auto unlock passwords.
* Unwrap secrets directly into login keyring for auto unlock.
* Fix various corner cases using auto unlock stuff in login keyring.
---
diff --git a/daemon/dbus/gkd-secret-session.c b/daemon/dbus/gkd-secret-session.c
index 80cd054..73551df 100644
--- a/daemon/dbus/gkd-secret-session.c
+++ b/daemon/dbus/gkd-secret-session.c
@@ -730,6 +730,8 @@ gkd_secret_session_create_credential (GkdSecretSession *self, GP11Session *sessi
}
g_clear_error (&error);
return NULL;
+ } else {
+ gp11_object_set_session (object, session);
}
return object;
diff --git a/daemon/dbus/gkd-secret-unlock.c b/daemon/dbus/gkd-secret-unlock.c
index 8a70ddc..f5df63b 100644
--- a/daemon/dbus/gkd-secret-unlock.c
+++ b/daemon/dbus/gkd-secret-unlock.c
@@ -247,43 +247,35 @@ check_locked_collection (GP11Object *collection, gboolean *locked)
}
static void
-attach_credential_to_login (GP11Object *collection, GP11Object *cred)
+attach_unlock_to_login (GP11Object *collection, GkdSecretSecret *master)
{
- GError *error = NULL;
+ DBusError derr = DBUS_ERROR_INIT;
GP11Attributes *attrs;
- gpointer value;
- gsize n_value;
+ GP11Object *cred;
gchar *location;
gchar *label;
g_assert (GP11_IS_OBJECT (collection));
- g_assert (GP11_IS_OBJECT (cred));
+ /* Relevant information for the unlock item */
attrs = attributes_for_collection (collection);
g_return_if_fail (attrs);
-
location = location_string_for_attributes (attrs);
label = label_string_for_attributes (attrs);
gp11_attributes_unref (attrs);
- value = gp11_object_get_data_full (cred, CKA_VALUE, egg_secure_realloc, NULL, &n_value, &error);
- if (value) {
- if (g_utf8_validate (value, n_value, NULL))
- gkd_login_attach_secret (label, value, "keyring", location, NULL);
- else
- g_warning ("couldn't save non utf-8 unlock credentials in login keyring");
- egg_secure_clear (value, n_value);
- egg_secure_free (value);
-
- } else {
- if (!g_error_matches (error, GP11_ERROR, CKR_USER_NOT_LOGGED_IN))
- g_warning ("couldn't read unlock credentials to save in login keyring: %s",
- egg_error_message (error));
- g_clear_error (&error);
- }
-
+ attrs = gkd_login_attach_make_attributes (label, "keyring", location, NULL);
g_free (location);
g_free (label);
+
+ cred = gkd_secret_session_create_credential (master->session, NULL, attrs, master, &derr);
+ gp11_attributes_unref (attrs);
+ g_object_unref (cred);
+
+ if (!cred) {
+ g_warning ("couldn't save unlock password in login collection: %s", derr.message);
+ dbus_error_free (&derr);
+ }
}
static void
@@ -304,6 +296,7 @@ authenticate_collection (GkdSecretUnlock *self, GP11Object *collection, gboolean
GP11Attribute *attr;
GP11Object *cred;
gboolean transient;
+ gboolean result;
g_assert (GKD_SECRET_IS_UNLOCK (self));
g_assert (GP11_IS_OBJECT (collection));
@@ -336,35 +329,37 @@ authenticate_collection (GkdSecretUnlock *self, GP11Object *collection, gboolean
}
cred = gkd_secret_session_create_credential (master->session, NULL, template, master, &derr);
- gkd_secret_secret_free (master);
+ g_object_unref (cred);
if (cred) {
/* Save it to the login keyring */
if (!transient)
- attach_credential_to_login (collection, cred);
- g_object_unref (cred);
+ attach_unlock_to_login (collection, master);
/* Save away the unlock options for next time */
gp11_object_set_template (collection, CKA_G_CREDENTIAL_TEMPLATE, template, NULL);
gp11_attributes_unref (template);
*locked = FALSE;
- return TRUE; /* Operation succeeded, and unlocked */
+ result = TRUE; /* Operation succeeded, and unlocked */
} else {
gp11_attributes_unref (template);
if (dbus_error_has_name (&derr, INTERNAL_ERROR_DENIED)) {
dbus_error_free (&derr);
*locked = TRUE;
- return TRUE; /* Operation succeded, although not unlocked*/
+ result = TRUE; /* Operation succeded, although not unlocked*/
} else {
g_warning ("couldn't create credential for collection: %s",
derr.message);
dbus_error_free (&derr);
- return FALSE; /* Operation failed */
+ result = FALSE; /* Operation failed */
}
}
+
+ gkd_secret_secret_free (master);
+ return result;
}
/* -----------------------------------------------------------------------------
diff --git a/daemon/login/gkd-login.c b/daemon/login/gkd-login.c
index bdef57d..373561c 100644
--- a/daemon/login/gkd-login.c
+++ b/daemon/login/gkd-login.c
@@ -77,7 +77,9 @@ open_and_login_session (GP11Slot *slot, CK_USER_TYPE user_type, GError **error)
session = gp11_slot_open_session (slot, CKF_RW_SESSION, error);
if (session != NULL) {
if (!gp11_session_login (session, user_type, NULL, 0, error)) {
- if ((*error)->code != CKR_USER_ALREADY_LOGGED_IN) {
+ if (g_error_matches (*error, GP11_ERROR, CKR_USER_ALREADY_LOGGED_IN)) {
+ g_clear_error (error);
+ } else {
g_object_unref (session);
session = NULL;
}
@@ -574,20 +576,88 @@ find_login_keyring_item (GP11Session *session, GP11Attribute *fields)
return item;
}
+static GP11Attributes*
+attach_make_attributes_va (GP11Session *session, const gchar *label,
+ const gchar *first, va_list va)
+{
+ GP11Attributes *attrs;
+ GP11Attribute fields;
+ gchar *display_name;
+ GP11Object* item;
+ GError *error = NULL;
+ gpointer value;
+ gsize n_value;
+
+ attrs = gp11_attributes_new ();
+
+ gp11_attribute_init_empty (&fields, CKA_G_FIELDS);
+ string_attribute_list_va (va, first, &fields);
+
+ /*
+ * If there already is such an item, then include its identifier.
+ * What this does is overwrite that item, rather than creating new.
+ */
+ item = find_login_keyring_item (session, &fields);
+ if (item) {
+ value = gp11_object_get_data (item, CKA_ID, &n_value, &error);
+ if (value != NULL) {
+ gp11_attributes_add_data (attrs, CKA_ID, value, n_value);
+ g_free (value);
+ } else {
+ g_warning ("couldn't retrieve id for previous login item: %s",
+ egg_error_message (error));
+ g_clear_error (&error);
+ }
+ g_object_unref (item);
+ }
+
+ if (label == NULL)
+ label = _("Unnamed");
+
+ display_name = g_strdup_printf (_("Unlock password for: %s"), label);
+ gp11_attributes_add_string (attrs, CKA_LABEL, display_name);
+
+ gp11_attributes_add_boolean (attrs, CKA_TOKEN, TRUE);
+ gp11_attributes_add_ulong (attrs, CKA_CLASS, CKO_SECRET_KEY);
+ gp11_attributes_add_data (attrs, CKA_G_COLLECTION, "login", (gsize)5);
+ gp11_attributes_add (attrs, &fields);
+
+ gp11_attribute_clear (&fields);
+ return attrs;
+}
+
+GP11Attributes*
+gkd_login_attach_make_attributes (const gchar *label, const gchar *first, ...)
+{
+ GP11Attributes *attrs;
+ GP11Session *session;
+ GP11Module *module;
+ va_list va;
+
+ module = module_instance ();
+ session = lookup_login_session (module);
+
+ va_start (va, first);
+ attrs = attach_make_attributes_va (session, label, first, va);
+ va_end (va);
+
+ g_object_unref (session);
+ g_object_unref (module);
+
+ return attrs;
+}
+
void
gkd_login_attach_secret (const gchar *label, const gchar *secret,
const gchar *first, ...)
{
GError *error = NULL;
- GP11Attribute fields;
GP11Session *session;
GP11Module *module;
- gchar *display_name;
- GP11Object* item;
+ GP11Attributes *attrs;
+ GP11Object *item;
va_list va;
- if (label == NULL)
- label = _("Unnamed");
if (secret == NULL)
secret = "";
@@ -595,29 +665,11 @@ gkd_login_attach_secret (const gchar *label, const gchar *secret,
session = lookup_login_session (module);
va_start(va, first);
- gp11_attribute_init_empty (&fields, CKA_G_FIELDS);
- string_attribute_list_va (va, first, &fields);
+ attrs = attach_make_attributes_va (session, label, first, va);
va_end(va);
- display_name = g_strdup_printf (_("Unlock password for: %s"), label);
-
- item = find_login_keyring_item (session, &fields);
- if (item) {
- gp11_object_set (item, &error,
- CKA_LABEL, strlen (display_name), display_name,
- CKA_VALUE, strlen (secret), secret,
- GP11_INVALID);
- } else {
- item = gp11_session_create_object (session, &error,
- CKA_TOKEN, GP11_BOOLEAN, TRUE,
- CKA_CLASS, GP11_ULONG, CKO_SECRET_KEY,
- CKA_LABEL, strlen (display_name), display_name,
- CKA_VALUE, strlen (secret), secret,
- CKA_G_COLLECTION, (gsize)5, "login",
- CKA_G_FIELDS, fields.length, fields.value,
- GP11_INVALID);
- }
-
+ gp11_attributes_add_string (attrs, CKA_VALUE, secret);
+ item = gp11_session_create_object_full (session, attrs, NULL, &error);
if (error != NULL) {
g_warning ("couldn't store secret in login keyring: %s", egg_error_message (error));
g_clear_error (&error);
@@ -625,8 +677,8 @@ gkd_login_attach_secret (const gchar *label, const gchar *secret,
if (item)
g_object_unref (item);
- g_free (display_name);
- gp11_attribute_clear (&fields);
+
+ gp11_attributes_unref (attrs);
g_object_unref (session);
g_object_unref (module);
}
@@ -701,22 +753,3 @@ gkd_login_remove_secret (const gchar *first, ...)
g_object_unref (session);
g_object_unref (module);
}
-
-GP11Attributes*
-gkd_login_attributes_for_secret (const gchar *first, ...)
-{
- GP11Attributes *attrs;
- GP11Attribute *fields;
- va_list va;
-
- attrs = gp11_attributes_newv (CKA_CLASS, GP11_ULONG, CKO_SECRET_KEY,
- CKA_G_COLLECTION, (gsize)5, "login",
- GP11_INVALID);
-
- va_start(va, first);
- fields = gp11_attributes_add_empty (attrs, CKA_G_FIELDS);
- string_attribute_list_va (va, first, fields);
- va_end(va);
-
- return attrs;
-}
diff --git a/daemon/login/gkd-login.h b/daemon/login/gkd-login.h
index 89157b1..849b9f4 100644
--- a/daemon/login/gkd-login.h
+++ b/daemon/login/gkd-login.h
@@ -40,13 +40,14 @@ void gkd_login_attach_secret (const gchar *label,
const gchar *first,
...);
-gchar* gkd_login_lookup_secret (const gchar *first,
+GP11Attributes* gkd_login_attach_make_attributes (const gchar *label,
+ const gchar *first,
...);
-void gkd_login_remove_secret (const gchar *first,
+gchar* gkd_login_lookup_secret (const gchar *first,
...);
-GP11Attributes* gkd_login_attributes_for_secret (const gchar *first,
+void gkd_login_remove_secret (const gchar *first,
...);
#endif /* __GKD_LOGIN_H__ */
--
cgit v0.8.3.1

26
gnome-keyring-2.30.0-hide-automaticall-unlock.patch Normal file
View File

@ -0,0 +1,26 @@
From 0512a0b5a30b432f53ee8c48d75acd582c5c9c9d Mon Sep 17 00:00:00 2001
From: Stef Walter <stef@memberwebs.com>
Date: Sun, 21 Mar 2010 14:24:33 +0000
Subject: [dbus] Hide the automatically unlock check when login not usable.
If the login keyring is locked or not present, hide the auto
unlock check box since that option isn't usable.
---
diff --git a/daemon/dbus/gkd-secret-unlock.c b/daemon/dbus/gkd-secret-unlock.c
index 52e4978..8a70ddc 100644
--- a/daemon/dbus/gkd-secret-unlock.c
+++ b/daemon/dbus/gkd-secret-unlock.c
@@ -200,6 +200,11 @@ prepare_unlock_prompt (GkdSecretUnlock *self, GP11Object *coll, gboolean first)
g_free (label);
+ if (gkd_login_is_usable ())
+ gkd_prompt_show_widget (prompt, "auto_unlock_check");
+ else
+ gkd_prompt_hide_widget (prompt, "auto_unlock_check");
+
/* Setup the unlock options */
if (first) {
template = gp11_object_get_template (coll, CKA_G_CREDENTIAL_TEMPLATE, &error);
--
cgit v0.8.3.1

52
gnome-keyring-2.30.0-unlocking-when-unavailable.patch Normal file
View File

@ -0,0 +1,52 @@
From e43a24701767d1a8fd72f2f3ed01fe0937364b6d Mon Sep 17 00:00:00 2001
From: Stef Walter <stef@memberwebs.com>
Date: Sun, 21 Mar 2010 14:06:43 +0000
Subject: [dbus] Allow unlocking even when always unlock is not available.
When the Always Unlock option could not work (due to a missing or
locked login keyring) unlocking a keyring fail when that option
was selected.
Fixes bug #610998
---
diff --git a/daemon/dbus/gkd-secret-unlock.c b/daemon/dbus/gkd-secret-unlock.c
index ee17fd1..52e4978 100644
--- a/daemon/dbus/gkd-secret-unlock.c
+++ b/daemon/dbus/gkd-secret-unlock.c
@@ -271,8 +271,9 @@ attach_credential_to_login (GP11Object *collection, GP11Object *cred)
egg_secure_free (value);
} else {
- g_warning ("couldn't read unlock credentials to save in login keyring: %s",
- egg_error_message (error));
+ if (!g_error_matches (error, GP11_ERROR, CKR_USER_NOT_LOGGED_IN))
+ g_warning ("couldn't read unlock credentials to save in login keyring: %s",
+ egg_error_message (error));
g_clear_error (&error);
}
@@ -295,6 +296,7 @@ authenticate_collection (GkdSecretUnlock *self, GP11Object *collection, gboolean
DBusError derr = DBUS_ERROR_INIT;
GkdSecretSecret *master;
GP11Attributes *template;
+ GP11Attribute *attr;
GP11Object *cred;
gboolean transient;
@@ -321,8 +323,12 @@ authenticate_collection (GkdSecretUnlock *self, GP11Object *collection, gboolean
gkd_prompt_get_unlock_options (GKD_PROMPT (self), template);
/* If it's supposed to save non-transient, then we override that */
- if (!gp11_attributes_find_boolean (template, CKA_GNOME_TRANSIENT, &transient))
- transient = TRUE;
+ attr = gp11_attributes_find (template, CKA_GNOME_TRANSIENT);
+ if (attr != NULL) {
+ transient = gp11_attribute_get_boolean (attr);
+ gp11_attribute_clear (attr);
+ gp11_attribute_init_boolean (attr, CKA_GNOME_TRANSIENT, TRUE);
+ }
cred = gkd_secret_session_create_credential (master->session, NULL, template, master, &derr);
gkd_secret_secret_free (master);
--
cgit v0.8.3.1

21
gnome-keyring.spec
View File

@ -8,7 +8,7 @@
Summary: Framework for managing passwords and other secrets
Name: gnome-keyring
Version: 2.29.92
Release: 1%{?dist}
Release: 2%{?dist}
License: GPLv2+ and LGPLv2+
Group: System Environment/Libraries
Source: http://download.gnome.org/sources/gnome-keyring/2.29/gnome-keyring-%{version}.tar.bz2
@ -17,6 +17,13 @@ Source: http://download.gnome.org/sources/gnome-keyring/2.29/gnome-keyring-%{ver
# http://bugs.gnome.org/598494
Patch3: gnome-keyring-2.28.1-nopass.patch
# from master
Patch4: gnome-keyring-2.30.0-better-error-handling.patch
Patch5: gnome-keyring-2.30.0-dont-save-session-keyring-to-disk.patch
Patch6: gnome-keyring-2.30.0-unlocking-when-unavailable.patch
Patch7: gnome-keyring-2.30.0-hide-automaticall-unlock.patch
Patch8: gnome-keyring-2.30.0-fix-storing-autounlock.patch
URL: http://www.gnome.org
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -76,6 +83,11 @@ automatically unlock the "login" keyring when the user logs in.
%prep
%setup -q -n gnome-keyring-%{version}
%patch3 -p1 -b .no-pass
%patch4 -p1 -b .better-error-handling
%patch5 -p1 -b .dont-save-session-keyring-to-disk
%patch6 -p1 -b .unlocking-when-unavailable
%patch7 -p1 -b .hide-automaticall-unlock
%patch8 -p1 -b .fix-storing-autounlock
%build
@ -154,6 +166,13 @@ fi
%changelog
* Mon Mar 22 2010 Tomas Bzatek <tbzatek@redhat.com> - 2.29.92-2
- More robust error display and handling
- [secret-store] Don't save session keyring to disk
- [dbus] Allow unlocking even when always unlock is not available
- [dbus] Hide the automatically unlock check when login not usable
- [login] Fix various issues storing and using auto unlock passwords
* Wed Mar 10 2010 Tomas Bzatek <tbzatek@redhat.com> - 2.29.92-1
- Update to 2.29.92