Add optional keyring + encrypted password fallback

2026-06-17 20:19:24 +00:00 · 2026-06-02 15:57:28 -06:00
parent 3722de6b13
commit 26afc125c7
11 changed files with 530 additions and 38 deletions
--- a/src/common/common.vcxproj
+++ b/src/common/common.vcxproj
@@ -32,6 +32,7 @@
    <ClInclude Include="public_suffix_data.h" />
    <ClInclude Include="server.h" />
    <ClInclude Include="servlist.h" />
+    <ClInclude Include="secretstore.h" />
    <ClInclude Include="ssl.h" />
    <ClInclude Include="scram.h" />
    <ClInclude Include="sysinfo\sysinfo.h" />
@@ -68,6 +69,7 @@
    <ClCompile Include="proto-irc.c" />
    <ClCompile Include="server.c" />
    <ClCompile Include="servlist.c" />
+    <ClCompile Include="secretstore.c" />
    <ClCompile Include="ssl.c" />
    <ClCompile Include="scram.c" />
    <ClCompile Include="sts.c" />
--- a/src/common/common.vcxproj.filters
+++ b/src/common/common.vcxproj.filters
@@ -74,6 +74,9 @@
    <ClInclude Include="servlist.h">
      <Filter>Header Files</Filter>
    </ClInclude>
+    <ClInclude Include="secretstore.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
    <ClInclude Include="ssl.h">
      <Filter>Header Files</Filter>
    </ClInclude>
@@ -178,6 +181,9 @@
    <ClCompile Include="servlist.c">
      <Filter>Source Files</Filter>
    </ClCompile>
+    <ClCompile Include="secretstore.c">
+      <Filter>Source Files</Filter>
+    </ClCompile>
    <ClCompile Include="ssl.c">
      <Filter>Source Files</Filter>
    </ClCompile>
--- a/src/common/meson.build
+++ b/src/common/meson.build
@@ -27,6 +27,8 @@ common_sources = [
  'util.c'
 ]

+secretstore_sources = files('secretstore.c')
+
 common_sysinfo_deps = []
 libarchive_dep = dependency('libarchive', required: host_machine.system() != 'windows')

@@ -38,6 +40,9 @@ common_deps = [
 if libarchive_dep.found()
  common_deps += libarchive_dep
 endif
+if libsecret_dep.found()
+  common_deps += libsecret_dep
+endif

 common_includes = [
  config_h_include,
@@ -127,7 +132,7 @@ if get_option('plugin')
 endif

 zoitechat_common = static_library('zoitechatcommon',
-  sources: [textevents, public_suffix_data] + marshal + common_sources,
+  sources: [textevents, public_suffix_data] + marshal + common_sources + secretstore_sources,
  include_directories: config_h_include,
  dependencies: common_deps + common_sysinfo_deps,
  c_args: common_cflags,
--- a/src/common/plugin.c
+++ b/src/common/plugin.c
@@ -1213,8 +1213,6 @@ zoitechat_get_info (zoitechat_plugin *ph, const char *id)

 	case 0x4889ba9b: /* password */
 	case 0x438fdf9: /* nickserv */
-		if (sess->server->network)
-			return ((ircnet *)sess->server->network)->pass;
 		return NULL;

 	case 0xca022f43: /* server */
--- a/src/common/secretstore.c
+++ b/src/common/secretstore.c
@@ -0,0 +1,173 @@
+#include "zoitechat.h"
+#include "cfgfiles.h"
+#include "secretstore.h"
+
+#include <string.h>
+
+#ifdef WIN32
+#include <windows.h>
+#include <wincred.h>
+#endif
+
+#ifdef HAVE_LIBSECRET
+#include <libsecret/secret.h>
+#endif
+
+static char *secretstore_target (const char *network_name)
+{
+	return g_strdup_printf ("zoitechat/network/%s", network_name ? network_name : "default");
+}
+
+int secretstore_is_keyring_available (void)
+{
+#ifdef WIN32
+	return TRUE;
+#elif defined(HAVE_LIBSECRET)
+	return TRUE;
+#else
+	return FALSE;
+#endif
+}
+
+char *secretstore_get_network_password (const char *network_name)
+{
+	char *target;
+	target = secretstore_target (network_name);
+#ifdef WIN32
+	{
+		PCREDENTIALA cred = NULL;
+		char *ret = NULL;
+		if (CredReadA (target, CRED_TYPE_GENERIC, 0, &cred))
+		{
+			ret = g_strndup ((const char *) cred->CredentialBlob, cred->CredentialBlobSize);
+			CredFree (cred);
+		}
+		g_free (target);
+		return ret;
+	}
+#elif defined(HAVE_LIBSECRET)
+	{
+		static const SecretSchema schema = {
+			"net.zoite.ZoiteChat.Network", SECRET_SCHEMA_NONE,
+			{
+				{ "network", SECRET_SCHEMA_ATTRIBUTE_STRING },
+				{ NULL, 0 },
+			}
+		};
+		char *ret = secret_password_lookup_sync (&schema, NULL, NULL, "network", target, NULL);
+		g_free (target);
+		return ret;
+	}
+#else
+	g_free (target);
+	return NULL;
+#endif
+}
+
+int secretstore_set_network_password (const char *network_name, const char *password)
+{
+	char *target;
+	target = secretstore_target (network_name);
+#ifdef WIN32
+	{
+		CREDENTIALA cred;
+		memset (&cred, 0, sizeof (cred));
+		cred.Type = CRED_TYPE_GENERIC;
+		cred.TargetName = target;
+		cred.CredentialBlobSize = (DWORD) strlen (password);
+		cred.CredentialBlob = (LPBYTE) password;
+		cred.Persist = CRED_PERSIST_LOCAL_MACHINE;
+		cred.UserName = "zoitechat";
+		if (!CredWriteA (&cred, 0))
+		{
+			g_free (target);
+			return FALSE;
+		}
+		g_free (target);
+		return TRUE;
+	}
+#elif defined(HAVE_LIBSECRET)
+	{
+		static const SecretSchema schema = {
+			"net.zoite.ZoiteChat.Network", SECRET_SCHEMA_NONE,
+			{
+				{ "network", SECRET_SCHEMA_ATTRIBUTE_STRING },
+				{ NULL, 0 },
+			}
+		};
+		gboolean ok = secret_password_store_sync (&schema, SECRET_COLLECTION_DEFAULT,
+			"ZoiteChat network password", password, NULL, NULL, "network", target, NULL);
+		g_free (target);
+		return ok;
+	}
+#else
+	g_free (target);
+	return FALSE;
+#endif
+}
+
+int secretstore_delete_network_password (const char *network_name)
+{
+	char *target;
+	target = secretstore_target (network_name);
+#ifdef WIN32
+	{
+		gboolean ok = CredDeleteA (target, CRED_TYPE_GENERIC, 0);
+		g_free (target);
+		return ok;
+	}
+#elif defined(HAVE_LIBSECRET)
+	{
+		static const SecretSchema schema = {
+			"net.zoite.ZoiteChat.Network", SECRET_SCHEMA_NONE,
+			{
+				{ "network", SECRET_SCHEMA_ATTRIBUTE_STRING },
+				{ NULL, 0 },
+			}
+		};
+		gboolean ok = secret_password_clear_sync (&schema, NULL, NULL, "network", target, NULL);
+		g_free (target);
+		return ok;
+	}
+#else
+	g_free (target);
+	return FALSE;
+#endif
+}
+
+int secretstore_require_unlock (const char *network_name)
+{
+#ifdef WIN32
+	return TRUE;
+#elif defined(HAVE_LIBSECRET)
+	{
+		static const SecretSchema schema = {
+			"net.zoite.ZoiteChat.Network", SECRET_SCHEMA_NONE,
+			{
+				{ "network", SECRET_SCHEMA_ATTRIBUTE_STRING },
+				{ NULL, 0 },
+			}
+		};
+		char *target;
+		char *password;
+		GError *error = NULL;
+		target = secretstore_target (network_name);
+		password = secret_password_lookup_sync (&schema, NULL, &error, "network", target, NULL);
+		g_free (target);
+		if (password)
+		{
+			memset (password, 0, strlen (password));
+			g_free (password);
+			return TRUE;
+		}
+		if (error)
+		{
+			g_error_free (error);
+			return FALSE;
+		}
+		return TRUE;
+	}
+#else
+	return TRUE;
+#endif
+}
--- a/src/common/secretstore.h
+++ b/src/common/secretstore.h
@@ -0,0 +1,10 @@
+#ifndef ZOITECHAT_SECRETSTORE_H
+#define ZOITECHAT_SECRETSTORE_H
+
+char *secretstore_get_network_password (const char *network_name);
+int secretstore_set_network_password (const char *network_name, const char *password);
+int secretstore_delete_network_password (const char *network_name);
+int secretstore_is_keyring_available (void);
+int secretstore_require_unlock (const char *network_name);
+
+#endif
--- a/src/common/servlist.c
+++ b/src/common/servlist.c
@@ -33,9 +33,146 @@
 #include "text.h"
 #include "util.h" /* token_foreach */
 #include "zoitechatc.h"
+#include "secretstore.h"

 #include "servlist.h"

+#ifdef USE_OPENSSL
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#endif
+
+char *
+servlist_password_encrypt_for_storage (const char *pass)
+{
+	gchar *material;
+	unsigned char salt[16];
+	unsigned char iv[16];
+	unsigned char key[32];
+	unsigned char *ciphertext;
+	int outlen1;
+	int outlen2;
+	int inlen;
+	int cipherlen;
+	EVP_CIPHER_CTX *ctx;
+	char *b64;
+	char *ret;
+	if (!pass || !*pass)
+		return NULL;
+#ifdef USE_OPENSSL
+	if (RAND_bytes (salt, sizeof (salt)) != 1 || RAND_bytes (iv, sizeof (iv)) != 1)
+		return NULL;
+	material = g_strdup_printf ("%s|%s", g_get_user_name (), get_xdir ());
+	if (!PKCS5_PBKDF2_HMAC (material, -1, salt, sizeof (salt), 300000, EVP_sha256 (), sizeof (key), key))
+	{
+		g_free (material);
+		return NULL;
+	}
+	g_free (material);
+	inlen = (int) strlen (pass);
+	ciphertext = g_malloc (inlen + EVP_MAX_BLOCK_LENGTH);
+	ctx = EVP_CIPHER_CTX_new ();
+	if (!ctx)
+	{
+		memset (key, 0, sizeof (key));
+		g_free (ciphertext);
+		return NULL;
+	}
+	if (EVP_EncryptInit_ex (ctx, EVP_aes_256_cbc (), NULL, key, iv) != 1 ||
+		EVP_EncryptUpdate (ctx, ciphertext, &outlen1, (const unsigned char *) pass, inlen) != 1 ||
+		EVP_EncryptFinal_ex (ctx, ciphertext + outlen1, &outlen2) != 1)
+	{
+		EVP_CIPHER_CTX_free (ctx);
+		memset (key, 0, sizeof (key));
+		g_free (ciphertext);
+		return NULL;
+	}
+	EVP_CIPHER_CTX_free (ctx);
+	cipherlen = outlen1 + outlen2;
+	{
+		gsize payload_len = sizeof (salt) + sizeof (iv) + (gsize) cipherlen;
+		unsigned char *payload = g_malloc (payload_len);
+		memcpy (payload, salt, sizeof (salt));
+		memcpy (payload + sizeof (salt), iv, sizeof (iv));
+		memcpy (payload + sizeof (salt) + sizeof (iv), ciphertext, cipherlen);
+		b64 = g_base64_encode (payload, payload_len);
+		memset (payload, 0, payload_len);
+		g_free (payload);
+	}
+	memset (key, 0, sizeof (key));
+	memset (ciphertext, 0, inlen + EVP_MAX_BLOCK_LENGTH);
+	g_free (ciphertext);
+#else
+	b64 = g_base64_encode ((const guchar *) pass, strlen (pass));
+#endif
+	ret = g_strdup_printf ("enc:%s", b64);
+	g_free (b64);
+	return ret;
+}
+
+static char *
+servlist_decrypt_password (const char *enc)
+{
+	guchar *raw;
+	gsize len;
+	char *ret;
+	if (!enc || !*enc)
+		return NULL;
+	if (!g_str_has_prefix (enc, "enc:"))
+		return g_strdup (enc);
+	raw = g_base64_decode (enc + 4, &len);
+#ifdef USE_OPENSSL
+	if (len <= 32)
+	{
+		g_free (raw);
+		return NULL;
+	}
+	{
+		unsigned char *salt = raw;
+		unsigned char *iv = raw + 16;
+		unsigned char *ciphertext = raw + 32;
+		int cipherlen = (int) (len - 32);
+		unsigned char key[32];
+		gchar *material = g_strdup_printf ("%s|%s", g_get_user_name (), get_xdir ());
+		unsigned char *plaintext = g_malloc ((gsize) cipherlen + 1);
+		int outlen1;
+		int outlen2;
+		EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new ();
+		if (!ctx || !PKCS5_PBKDF2_HMAC (material, -1, salt, 16, 300000, EVP_sha256 (), sizeof (key), key))
+		{
+			g_free (material);
+			if (ctx)
+				EVP_CIPHER_CTX_free (ctx);
+			g_free (plaintext);
+			g_free (raw);
+			return NULL;
+		}
+		g_free (material);
+		if (EVP_DecryptInit_ex (ctx, EVP_aes_256_cbc (), NULL, key, iv) != 1 ||
+			EVP_DecryptUpdate (ctx, plaintext, &outlen1, ciphertext, cipherlen) != 1 ||
+			EVP_DecryptFinal_ex (ctx, plaintext + outlen1, &outlen2) != 1)
+		{
+			EVP_CIPHER_CTX_free (ctx);
+			memset (key, 0, sizeof (key));
+			memset (plaintext, 0, (gsize) cipherlen + 1);
+			g_free (plaintext);
+			g_free (raw);
+			return NULL;
+		}
+		EVP_CIPHER_CTX_free (ctx);
+		memset (key, 0, sizeof (key));
+		plaintext[outlen1 + outlen2] = 0;
+		ret = g_strdup ((const char *) plaintext);
+		memset (plaintext, 0, (gsize) cipherlen + 1);
+		g_free (plaintext);
+	}
+#else
+	ret = g_strndup ((const char *) raw, len);
+#endif
+	g_free (raw);
+	return ret;
+}
+

 struct defaultserver
 {
@@ -344,10 +481,29 @@ servlist_connect (session *sess, ircnet *net, gboolean join)
 	}

 	serv->password[0] = 0;
-
-	if (net->pass)
+	if ((net->flags & FLAG_USE_KEYRING) && net->name)
 	{
-		safe_strcpy (serv->password, net->pass, sizeof (serv->password));
+		char *stored_pass = secretstore_get_network_password (net->name);
+		if (stored_pass && *stored_pass)
+		{
+			safe_strcpy (serv->password, stored_pass, sizeof (serv->password));
+		}
+		if (stored_pass)
+		{
+			memset (stored_pass, 0, strlen (stored_pass));
+			g_free (stored_pass);
+		}
+	}
+	else if (net->pass)
+	{
+		char *plain = servlist_decrypt_password (net->pass);
+		if (plain && *plain)
+			safe_strcpy (serv->password, plain, sizeof (serv->password));
+		if (plain)
+		{
+			memset (plain, 0, strlen (plain));
+			g_free (plain);
+		}
 	}

 	if (net->flags & FLAG_USE_GLOBAL)
@@ -982,24 +1138,6 @@ servlist_load (void)
 			 *
 			 * Should be removed at some point.
 			 */
-			case 'A':
-				if (!net->pass)
-				{
-					net->pass = g_strdup (buf + 2);
-					if (!net->logintype)
-					{
-						net->logintype = LOGIN_SASL;
-					}
-				}
-			case 'B':
-				if (!net->pass)
-				{
-					net->pass = g_strdup (buf + 2);
-					if (!net->logintype)
-					{
-						net->logintype = LOGIN_NICKSERV;
-					}
-				}
 			}
 		}
 		if (buf[0] == 'N')
--- a/src/common/servlist.h
+++ b/src/common/servlist.h
@@ -62,7 +62,8 @@ extern GSList *network_list;
 #define FLAG_USE_PROXY			16
 #define FLAG_ALLOW_INVALID		32
 #define FLAG_FAVORITE			64
-#define FLAG_COUNT				7
+#define FLAG_USE_KEYRING		128
+#define FLAG_COUNT				8

 /* Login methods. Use server password by default - if we had a NickServ password, it'd be set to 2 already by servlist_load() */
 #define LOGIN_DEFAULT_REAL		LOGIN_PASS		/* this is to set the default login method for unknown servers */
@@ -124,5 +125,6 @@ favchannel *servlist_favchan_copy (favchannel *fav);
 GSList *servlist_favchan_listadd (GSList *chanlist, char *channel, char *key);

 gboolean joinlist_is_in_list (server *serv, char *channel);
+char *servlist_password_encrypt_for_storage (const char *pass);

 #endif