gnome-keyring r1130 - in trunk: . pk ssh
- From: nnielsen svn gnome org
- To: svn-commits-list gnome org
- Subject: gnome-keyring r1130 - in trunk: . pk ssh
- Date: Sun, 6 Apr 2008 04:14:39 +0100 (BST)
Author: nnielsen
Date: Sun Apr 6 04:14:39 2008
New Revision: 1130
URL: http://svn.gnome.org/viewvc/gnome-keyring?rev=1130&view=rev
Log:
* pk/gkr-pk-object.c:
* pk/gkr-pk-object.h:
* pk/gkr-pk-privkey.c:
* ssh/gkr-ssh-daemon-ops.c: Make 'ssh-add -D' and 'ssh-add -d'
lock any SSH private keys that gnome-keyring natively handles.
Fixes bug #524823
Modified:
trunk/ChangeLog
trunk/pk/gkr-pk-object.c
trunk/pk/gkr-pk-object.h
trunk/pk/gkr-pk-privkey.c
trunk/ssh/gkr-ssh-daemon-ops.c
Modified: trunk/pk/gkr-pk-object.c
==============================================================================
--- trunk/pk/gkr-pk-object.c (original)
+++ trunk/pk/gkr-pk-object.c Sun Apr 6 04:14:39 2008
@@ -407,6 +407,17 @@
g_hash_table_remove_all (pv->attr_cache);
}
+void
+gkr_pk_object_lock (GkrPkObject *object)
+{
+ GkrPkObjectClass *klass;
+
+ klass = GKR_PK_OBJECT_GET_CLASS (object);
+
+ if (klass->lock)
+ (*klass->lock) (object);
+}
+
gboolean
gkr_pk_object_match_one (GkrPkObject *object, CK_ATTRIBUTE_PTR rattr)
{
Modified: trunk/pk/gkr-pk-object.h
==============================================================================
--- trunk/pk/gkr-pk-object.h (original)
+++ trunk/pk/gkr-pk-object.h Sun Apr 6 04:14:39 2008
@@ -79,6 +79,12 @@
* the data, as long as the representation is later decryptable.
*/
guchar* (*serialize) (GkrPkObject *obj, const gchar* password, gsize *n_data);
+
+ /*
+ * Asks the object to lock itself, ie: remove any sensitive data from
+ * memory.
+ */
+ void (*lock) (GkrPkObject *obj);
};
GType gkr_pk_object_get_type (void) G_GNUC_CONST;
@@ -90,6 +96,8 @@
void gkr_pk_object_flush (GkrPkObject *object);
+void gkr_pk_object_lock (GkrPkObject *object);
+
gboolean gkr_pk_object_match (GkrPkObject *object,
GArray *attrs);
Modified: trunk/pk/gkr-pk-privkey.c
==============================================================================
--- trunk/pk/gkr-pk-privkey.c (original)
+++ trunk/pk/gkr-pk-privkey.c Sun Apr 6 04:14:39 2008
@@ -519,6 +519,20 @@
}
static void
+gkr_pk_privkey_lock (GkrPkObject *obj)
+{
+ GkrPkPrivkey *key = GKR_PK_PRIVKEY (obj);
+
+ if (!key->priv->s_key)
+ return;
+
+ gcry_sexp_release (key->priv->s_key);
+ key->priv->s_key = NULL;
+
+ initialize_from_key (key);
+}
+
+static void
gkr_pk_privkey_dispose (GObject *obj)
{
GkrPkPrivkey *key = GKR_PK_PRIVKEY (obj);
@@ -536,13 +550,13 @@
{
GkrPkPrivkey *key = GKR_PK_PRIVKEY (obj);
+ g_assert (!key->priv->pubkey);
+
gcry_sexp_release (key->priv->s_key);
key->priv->s_key = NULL;
-
- initialize_from_key (key);
-
- g_assert (!key->priv->pubkey);
- g_assert (!key->priv->numbers);
+
+ gcry_sexp_release (key->priv->numbers);
+ key->priv->numbers = NULL;
G_OBJECT_CLASS (gkr_pk_privkey_parent_class)->finalize (obj);
}
@@ -558,6 +572,7 @@
parent_class = GKR_PK_OBJECT_CLASS (klass);
parent_class->get_attribute = gkr_pk_privkey_get_attribute;
parent_class->serialize = gkr_pk_privkey_serialize;
+ parent_class->lock = gkr_pk_privkey_lock;
gobject_class = (GObjectClass*)klass;
gobject_class->get_property = gkr_pk_privkey_get_property;
Modified: trunk/ssh/gkr-ssh-daemon-ops.c
==============================================================================
--- trunk/ssh/gkr-ssh-daemon-ops.c (original)
+++ trunk/ssh/gkr-ssh-daemon-ops.c Sun Apr 6 04:14:39 2008
@@ -570,8 +570,6 @@
if (!make_decrypt_sexp (challenge, &sdata))
return FALSE;
-gkr_crypto_sexp_dump (sdata);
-
/* Do the magic */
gcry = gcry_pk_decrypt (&splain, sdata, skey);
@@ -582,8 +580,6 @@
goto cleanup;
}
-gkr_crypto_sexp_dump (splain);
-
/* Number of bits in the key */
bits = gcry_pk_get_nbits (skey);
g_return_val_if_fail (bits, FALSE);
@@ -625,6 +621,7 @@
op_remove_identity (GkrBuffer *req, GkrBuffer *resp)
{
GkrPkPrivkey *key;
+ GkrPkObject *obj;
gcry_sexp_t skey;
gsize offset;
@@ -632,11 +629,27 @@
if (!gkr_ssh_proto_read_public (req, &offset, &skey, NULL))
return FALSE;
- key = find_private_key (skey, FALSE, 2);
+ key = find_private_key (skey, TRUE, 2);
gcry_sexp_release (skey);
- if (key)
- remove_session_key (key);
+ if (key) {
+ obj = GKR_PK_OBJECT (key);
+
+ /*
+ * When the key is just a session key, then remove it
+ * completely.
+ */
+ if (obj->manager == session_manager)
+ remove_session_key (key);
+
+ /*
+ * Otherwise lock it so the user gets prompted for
+ * any passwords again.
+ */
+ else
+ gkr_pk_object_lock (obj);
+ }
+
gkr_buffer_add_byte (resp, GKR_SSH_RES_SUCCESS);
return TRUE;
@@ -667,8 +680,9 @@
op_remove_all_identities (GkrBuffer *req, GkrBuffer *resp)
{
GkrPkPrivkey *key;
- GList *l, *removes = NULL;
+ GList *objects, *l, *removes = NULL;
+ /* Remove all session keys */
if (session_manager) {
for (l = session_manager->objects; l; l = g_list_next (l)) {
if (!GKR_IS_PK_PRIVKEY (l->data))
@@ -683,6 +697,17 @@
g_list_free (removes);
}
+ /* And now we lock all private keys with usage = SSH */
+ objects = gkr_pk_object_manager_findv (gkr_pk_object_manager_for_token (), GKR_TYPE_PK_PRIVKEY,
+ CKA_GNOME_PURPOSE_SSH_AUTH, CK_TRUE, 0, NULL);
+
+ for (l = objects; l; l = g_list_next (l)) {
+ g_return_val_if_fail (GKR_IS_PK_OBJECT (l->data), FALSE);
+ gkr_pk_object_lock (GKR_PK_OBJECT (l->data));
+ }
+
+ g_list_free (objects);
+
gkr_buffer_add_byte (resp, GKR_SSH_RES_SUCCESS);
return TRUE;
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
