[network-manager-openvpn/lr/p11-forward: 1/5] all: use libsecret to wipe the password memory

[Lubomir Rintel <lkundrak src gnome org>]

commit 6d831737e10d087b3d669eb2c8f1b70842aa889a
Author: Lubomir Rintel <lkundrak v3 sk>
Date:   Mon Jun 20 13:39:41 2016 +0200

    all: use libsecret to wipe the password memory
    
    The passwords can still be paged away to secondary storage. libgcr
    provides API to lock the ranges into memory; however it has a dependency
    chain that's too big for the service (it drags in Gtk).
    
    Nevertheless, the memset() was completely useless; it would just be optimized
    away at compiler's liberty.

 auth-dialog/main.c       |    2 +-
 src/Makefile.am          |    4 +++-
 src/nm-openvpn-service.c |   22 ++++++++++++----------
 3 files changed, 16 insertions(+), 12 deletions(-)
---
diff --git a/auth-dialog/main.c b/auth-dialog/main.c
index df06d95..fcfc29b 100644
--- a/auth-dialog/main.c
+++ b/auth-dialog/main.c
@@ -433,7 +433,7 @@ static void
 free_secret (char *p)
 {
        if (p) {
-               memset (p, 0, strlen (p));
+               secret_password_wipe (p);
                g_free (p);
        }
 }
diff --git a/src/Makefile.am b/src/Makefile.am
index 0bd68b7..7314a17 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1,6 +1,7 @@
 AM_CPPFLAGS = \
        $(GLIB_CFLAGS) \
        $(LIBNM_CFLAGS) \
+       $(LIBSECRET_CFLAGS) \
        -I$(top_srcdir)/shared \
        -DBINDIR=\"$(bindir)\" \
        -DPREFIX=\""$(prefix)"\" \
@@ -32,7 +33,8 @@ nm_openvpn_service_SOURCES = \
        nm-openvpn-service.h
 
 nm_openvpn_service_LDADD = \
-       $(LIBNM_LIBS)
+       $(LIBNM_LIBS) \
+       $(LIBSECRET_LIBS)
 
 ###############################################################################
 
diff --git a/src/nm-openvpn-service.c b/src/nm-openvpn-service.c
index e5a1aa9..21063c5 100644
--- a/src/nm-openvpn-service.c
+++ b/src/nm-openvpn-service.c
@@ -46,6 +46,8 @@
 #include <grp.h>
 #include <glib-unix.h>
 
+#include <libsecret/secret.h>
+
 #include "utils.h"
 #include "nm-utils/nm-shared-utils.h"
 #include "nm-utils/nm-vpn-plugin-macros.h"
@@ -464,15 +466,15 @@ nm_openvpn_disconnect_management_socket (NMOpenvpnPlugin *plugin)
        g_free (io_data->pending_auth);
 
        if (io_data->password)
-               memset (io_data->password, 0, strlen (io_data->password));
+               secret_password_wipe (io_data->password);
        g_free (io_data->password);
 
        if (io_data->priv_key_pass)
-               memset (io_data->priv_key_pass, 0, strlen (io_data->priv_key_pass));
+               secret_password_wipe (io_data->priv_key_pass);
        g_free (io_data->priv_key_pass);
 
        if (io_data->proxy_password)
-               memset (io_data->proxy_password, 0, strlen (io_data->proxy_password));
+               secret_password_wipe (io_data->proxy_password);
        g_free (io_data->proxy_password);
 
        g_free (priv->io_data);
@@ -543,7 +545,7 @@ write_user_pass (GIOChannel *channel,
                               "password \"%s\" \"%s\"\n",
                               authtype, quser,
                               authtype, qpass);
-       memset (qpass, 0, strlen (qpass));
+       secret_password_wipe (qpass);
        g_free (qpass);
        g_free (quser);
 
@@ -551,7 +553,7 @@ write_user_pass (GIOChannel *channel,
        g_io_channel_write_chars (channel, buf, strlen (buf), NULL, NULL);
        g_io_channel_flush (channel, NULL);
 
-       memset (buf, 0, strlen (buf));
+       secret_password_wipe (buf);
        g_free (buf);
 }
 
@@ -602,7 +604,7 @@ handle_auth (NMOpenvpnPluginIOData *io_data,
                        /* Quote strings passed back to openvpn */
                        qpass = ovpn_quote_string (io_data->priv_key_pass);
                        buf = g_strdup_printf ("password \"%s\" \"%s\"\n", requested_auth, qpass);
-                       memset (qpass, 0, strlen (qpass));
+                       secret_password_wipe (qpass);
                        g_free (qpass);
 
                        /* Will always write everything in blocking channels (on success) */
@@ -712,7 +714,7 @@ handle_management_socket (NMOpenvpnPlugin *plugin,
                                 * will request a new one after restarting.
                                 */
                                if (priv->io_data->password)
-                                       memset (priv->io_data->password, 0, strlen (priv->io_data->password));
+                                       secret_password_wipe (priv->io_data->password);
                                g_clear_pointer (&priv->io_data->password, g_free);
                                fail = FALSE;
                        }
@@ -1009,14 +1011,14 @@ update_io_data_from_vpn_setting (NMOpenvpnPluginIOData *io_data,
        io_data->username = tmp ? g_strdup (tmp) : NULL;
 
        if (io_data->password) {
-               memset (io_data->password, 0, strlen (io_data->password));
+               secret_password_wipe (io_data->password);
                g_free (io_data->password);
        }
        tmp = nm_setting_vpn_get_secret (s_vpn, NM_OPENVPN_KEY_PASSWORD);
        io_data->password = tmp ? g_strdup (tmp) : NULL;
 
        if (io_data->priv_key_pass) {
-               memset (io_data->priv_key_pass, 0, strlen (io_data->priv_key_pass));
+               secret_password_wipe (io_data->priv_key_pass);
                g_free (io_data->priv_key_pass);
        }
        tmp = nm_setting_vpn_get_secret (s_vpn, NM_OPENVPN_KEY_CERTPASS);
@@ -1027,7 +1029,7 @@ update_io_data_from_vpn_setting (NMOpenvpnPluginIOData *io_data,
        io_data->proxy_username = tmp ? g_strdup (tmp) : NULL;
 
        if (io_data->proxy_password) {
-               memset (io_data->proxy_password, 0, strlen (io_data->proxy_password));
+               secret_password_wipe (io_data->proxy_password);
                g_free (io_data->proxy_password);
        }
        tmp = nm_setting_vpn_get_secret (s_vpn, NM_OPENVPN_KEY_HTTP_PROXY_PASSWORD);