[Pkg-wmaker-commits] [wmbiff] 05/14: use the apple keychain to grab passwords! I can very nearly forget about typing them in anymore
Doug Torrance
dtorrance-guest at moszumanska.debian.org
Thu Aug 20 03:03:59 UTC 2015
This is an automated email from the git hooks/post-receive script.
dtorrance-guest pushed a commit to tag wmbiff_0_4_17
in repository wmbiff.
commit 7f7a8786c628681c3c6662149687f385f0471906
Author: bluehal <bluehal>
Date: Sat Jul 19 23:56:32 2003 +0000
use the apple keychain to grab passwords! I can very nearly forget about typing them in anymore
---
NEWS | 4 +-
configure.ac | 4 ++
wmbiff/passwordMgr.c | 167 ++++++++++++++++++++++++++++++++++++++-------------
3 files changed, 133 insertions(+), 42 deletions(-)
diff --git a/NEWS b/NEWS
index a8862cd..2fe200f 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,8 @@
Release Notes
~~~~~~~~~~~~~
Release 0.4.17 -
+ * On Mac, ask the keychain for passwords if
+ askpass = internal:apple:keychain
Release 0.4.16 - July 7, 2003
* Checks TLS certificates. See wmbiffrc(5) for
@@ -438,4 +440,4 @@ Release 0.1 - Wed, 17 Nov 1999 00:00:00 +0000
* Initial release by Gennady Belyakov <gb at ccat.elect.ru>.
-$Id: NEWS,v 1.47 2003/07/15 08:41:45 bluehal Exp $
+$Id: NEWS,v 1.48 2003/07/19 23:56:32 bluehal Exp $
diff --git a/configure.ac b/configure.ac
index a076be1..2579b30 100644
--- a/configure.ac
+++ b/configure.ac
@@ -27,6 +27,8 @@ case `(uname -s) 2>/dev/null` in
"Darwin")
CFLAGS="$CFLAGS -no-cpp-precomp"
AC_MSG_RESULT(adding cpp precompiler workaround for Mac OS X)
+ LDFLAGS="$LDFLAGS -framework Security"
+ AC_MSG_RESULT(adding -framework Security for Mac OS X)
;;
esac
@@ -144,6 +146,8 @@ AC_PATH_PROGS(DEFAULT_ASKPASS, ssh-askpass x11-ssh-askpass ssh-askpass-gnome, /u
AC_PATH_PROG(CVS2CL, cvs2cl)
AC_DEFINE_UNQUOTED(DEFAULT_ASKPASS, "$DEFAULT_ASKPASS", [Program to use for querying the user for a password: redefine if not on a debian system])
+AC_CHECK_HEADERS(CoreServices/CoreServices.h Security/Security.h)
+
dnl Skin files; note - this is duplicated in wmbiff/Makefile.am
dnl haven't thought of a way around it.
if test "x$prefix" != xNONE; then
diff --git a/wmbiff/passwordMgr.c b/wmbiff/passwordMgr.c
index 41f3668..723ca00 100644
--- a/wmbiff/passwordMgr.c
+++ b/wmbiff/passwordMgr.c
@@ -90,6 +90,111 @@ int permissions_ok(Pop3 pc, const char *askpass_fname)
return (1);
}
+#ifdef HAVE_CORESERVICES_CORESERVICES_H
+#ifdef HAVE_SECURITY_SECURITY_H
+#define HAVE_APPLE_KEYCHAIN
+#endif
+#endif
+
+
+#ifdef HAVE_APPLE_KEYCHAIN
+/* routines to use apple's keychain to get a password
+ without a user having to type. this avoids some damage
+ where although ssh-askpass can grab focus within X, it
+ may not have a particularly secure keyboard. */
+
+#include<CoreServices/CoreServices.h>
+#include<Security/Security.h>
+
+static void get_password_from_keychain(Pop3 pc, const char *username,
+ const char *servername,
+ /*@out@*/ char *password,
+ /*@out@*/ unsigned char *password_len) {
+ SecKeychainRef kc;
+ OSStatus rc;
+ char *secpwd;
+ UInt32 pwdlen;
+ rc = SecKeychainCopyDefault(&kc);
+ if(rc != noErr) {
+ DM(pc, DEBUG_ERROR, "passmgr: unable to open keychain, exiting\n");
+ exit(EXIT_FAILURE);
+ }
+ rc = SecKeychainFindInternetPassword(kc, strlen(servername), servername,
+ 0, NULL,
+ strlen(username), username,
+ 0, NULL, 0, NULL,
+ kSecAuthenticationTypeDefault,
+ &pwdlen, (void **)&secpwd, NULL);
+ if(rc != noErr) {
+ DM(pc, DEBUG_ERROR,
+ "passmgr: keychain password grab failed, exiting\n");
+ DM(pc, DEBUG_ERROR,
+ "passmgr: (perhaps you pressed 'deny')\n");
+ /* this seems like the sanest thing to do, for now */
+ exit(EXIT_FAILURE);
+ }
+
+ if(pwdlen < *password_len) {
+ strcpy(password, secpwd);
+ *password_len = strlen(password);
+ } else {
+ DM(pc, DEBUG_ERROR,
+ "passmgr: warning: your password appears longer (%d) than expected (%d)\n",
+ strlen(secpwd), *password_len - 1);
+ }
+ rc = SecKeychainItemFreeContent(NULL, secpwd);
+ return;
+}
+#endif /* apple keychain */
+
+
+static void get_password_from_command(Pop3 pc, const char *username,
+ const char *servername,
+ /*@out@*/ char *password,
+ /*@out@*/ unsigned char *password_len) {
+ password[*password_len-1] = '\0';
+ password[0] = '\0';
+ /* check that the executed file is a good one. */
+ if (permissions_ok(pc, pc->askpass)) {
+ char *command;
+ char *password_ptr;
+ int len =
+ strlen(pc->askpass) + strlen(username) +
+ strlen(servername) + 40;
+ command = malloc(len);
+ snprintf(command, len, "%s 'password for wmbiff: %s@%s'",
+ pc->askpass, username, servername);
+
+ (void) grabCommandOutput(pc, command, &password_ptr, NULL);
+ /* it's not clear what to do with the exit
+ status, though we can get it from
+ grabCommandOutput if needed to deal with some
+ programs that will print a message but exit
+ non-zero on error */
+ free(command);
+
+ if (password_ptr == NULL) {
+ /* this likely means that the user cancelled, and doesn't
+ want us to keep asking about the password. */
+ DM(pc, DEBUG_ERROR,
+ "passmgr: fgets password failed, exiting\n");
+ DM(pc, DEBUG_ERROR,
+ "passmgr: (it looks like you pressed 'cancel')\n");
+ /* this seems like the sanest thing to do, for now */
+ exit(EXIT_FAILURE);
+ }
+ strncpy(password, password_ptr, *password_len);
+ free(password_ptr);
+ if( password[*password_len-1] != '\0' ) {
+ DM(pc, DEBUG_ERROR,
+ "passmgr: warning: your password appears longer (%d) than expected (%d)\n",
+ strlen(password_ptr), *password_len - 1);
+ }
+ password[*password_len-1] = '\0';
+ *password_len = strlen(password);
+ }
+}
+
char *passwordFor(const char *username,
const char *servername, Pop3 pc, int bFlushCache)
{
@@ -110,8 +215,10 @@ char *passwordFor(const char *username,
if (p->password[0] != '\0') {
if (bFlushCache == 0) {
char *ret = strdup(p->password);
+#ifdef HAVE_MEMFROB
unsigned short ret_len = p->password_len;
DEFROB(ret);
+#endif
return (ret);
}
/* else fall through, overwrite */
@@ -127,52 +234,30 @@ char *passwordFor(const char *username,
/* else, try to get it. */
if (pc->askpass != NULL) {
- /* check that the executed file is a good one. */
- if (permissions_ok(pc, pc->askpass)) {
- char *command;
- char *password_ptr;
- int len =
- strlen(pc->askpass) + strlen(username) +
- strlen(servername) + 40;
- command = malloc(len);
- snprintf(command, len, "%s 'password for wmbiff: %s@%s'",
- pc->askpass, username, servername);
-
- (void) grabCommandOutput(pc, command, &password_ptr, NULL);
- /* it's not clear what to do with the exit
- status, though we can get it from
- grabCommandOutput if needed to deal with some
- programs that will print a message but exit
- non-zero on error */
- free(command);
-
- if (password_ptr == NULL) {
- /* this likely means that the user cancelled, and doesn't
- want us to keep asking about the password. */
- DM(pc, DEBUG_ERROR,
- "passmgr: fgets password failed, exiting\n");
- DM(pc, DEBUG_ERROR,
- "passmgr: (it looks like you pressed 'cancel')\n");
- /* this seems like the sanest thing to do, for now */
- exit(EXIT_FAILURE);
- }
-
+ p->password_len = 32;
+#ifdef HAVE_APPLE_KEYCHAIN
+ if(strcmp(pc->askpass, "internal:apple:keychain") == 0) {
+ get_password_from_keychain(pc, username, servername,
+ p->password, &p->password_len);
+ } else {
+ DM(pc, DEBUG_ERROR,
+ "you could change your askpass line to:\n"
+ " askpass = internal:apple:keychain\n"
+ "to use the OS X keychain instead of running a command\n");
+#endif
+ get_password_from_command(pc, username, servername,
+ p->password, &p->password_len);
+#ifdef HAVE_APPLE_KEYCHAIN
+ }
+#endif
+ if(p->password[0] != '\0') {
+ char *retval = strdup(p->password);
strcpy(p->user, username);
strcpy(p->server, servername);
- strncpy(p->password, password_ptr, 31);
- p->password[31] = '\0'; /* force a null termination */
- // caller is responsible for freeing plaintext version free(password_ptr);
- p->password_len = strlen(p->password);
ENFROB(p->password);
p->next = pass_list;
pass_list = p;
- if (strlen(password_ptr) > 31) {
- DM(pc, DEBUG_ERROR,
- "passmgr: warning: your password appears longer (%d) than expected (%d)\n",
- strlen(password_ptr), 31);
- password_ptr[31] = '\0';
- }
- return (password_ptr);
+ return (retval);
}
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-wmaker/wmbiff.git
More information about the Pkg-wmaker-commits
mailing list