|
0
|
1 ;;; passwd.el --- Prompting for passwords semi-securely
|
|
|
2
|
|
|
3 ;; Copyright (C) 1994 Free Software Foundation, Inc.
|
|
|
4 ;; Keywords: comm, extensions
|
|
|
5
|
|
|
6 ;; Author: Jamie Zawinski <jwz@netscape.com>
|
|
|
7
|
|
|
8 ;; This file is part of XEmacs.
|
|
|
9
|
|
|
10 ;; XEmacs is free software; you can redistribute it and/or modify it
|
|
|
11 ;; under the terms of the GNU General Public License as published by
|
|
|
12 ;; the Free Software Foundation; either version 2, or (at your option)
|
|
|
13 ;; any later version.
|
|
|
14
|
|
|
15 ;; XEmacs is distributed in the hope that it will be useful, but
|
|
|
16 ;; WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
17 ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
18 ;; General Public License for more details.
|
|
|
19
|
|
70
|
20 ;;; Synched up with: Not in FSF.
|
|
|
21
|
|
0
|
22 ;; You should have received a copy of the GNU General Public License
|
|
70
|
23 ;; along with XEmacs; see the file COPYING. If not, write to the
|
|
|
24 ;; Free Software Foundation, Inc., 59 Temple Place - Suite 330,
|
|
|
25 ;; Boston, MA 02111-1307, USA.
|
|
0
|
26
|
|
|
27 ;;; Change Log:
|
|
|
28 ;;
|
|
|
29 ;; Sun Jun 12 04:19:30 1994 by sandy on ibm550.sissa.it
|
|
|
30 ;; Added support for password histories and (provide 'passwd)
|
|
|
31 ;; (jwz says: this "history" thing is completely undocumented, you loser!)
|
|
|
32 ;; 2-Jan-95 (mon); 4:13 AM by jwz@netscape.com
|
|
|
33 ;; Fixed Sandy's extreme keymap bogosity. Made it invert the screen when
|
|
|
34 ;; reading securely (this could be better; maybe use red text or something
|
|
|
35 ;; instead...)
|
|
|
36 ;; 9-Jul-95 (fri); 4:55 AM by jwz@netscape.com
|
|
|
37 ;; Made it work with XEmacs 19.12.
|
|
|
38 ;; 7-Jul-95 by cthomp@cs.uiuc.edu
|
|
|
39 ;; Added variable to control inverting frame when keyboard grabbed
|
|
|
40
|
|
|
41 ;;; Code:
|
|
|
42
|
|
|
43 (defvar passwd-invert-frame-when-keyboard-grabbed t
|
|
|
44 "*If non-nil swap the foreground and background colors of all faces.
|
|
|
45 This is done while the keyboard is grabbed in order to give a visual
|
|
|
46 clue that a grab is in effect.")
|
|
|
47
|
|
|
48 (defvar passwd-echo ?.
|
|
|
49 "*The character which should be echoed when typing a password,
|
|
|
50 or nil, meaning echo nothing.")
|
|
|
51
|
|
|
52 (defvar read-passwd-map
|
|
|
53 (let ((i 0)
|
|
|
54 (s (make-string 1 0))
|
|
|
55 map)
|
|
|
56 (cond ((fboundp 'set-keymap-parent)
|
|
|
57 (setq map (make-keymap))
|
|
|
58 (set-keymap-parent map minibuffer-local-map))
|
|
|
59 (t ; v18/FSFmacs compatibility
|
|
|
60 (setq map (copy-keymap minibuffer-local-map))))
|
|
|
61 (if (fboundp 'set-keymap-name)
|
|
|
62 (set-keymap-name map 'read-passwd-map))
|
|
|
63
|
|
|
64 (while (< i 127)
|
|
|
65 (aset s 0 i)
|
|
|
66 (or (and (boundp 'meta-prefix-char) (eq i meta-prefix-char))
|
|
|
67 (define-key map s 'self-insert-command))
|
|
|
68 (setq i (1+ i)))
|
|
|
69
|
|
|
70 (define-key map "\C-g" 'keyboard-quit)
|
|
|
71 (define-key map "\C-h" 'delete-backward-char)
|
|
|
72 (define-key map "\r" 'exit-minibuffer)
|
|
|
73 (define-key map "\n" 'exit-minibuffer)
|
|
|
74 (define-key map "\C-u" 'passwd-erase-buffer)
|
|
|
75 (define-key map "\C-q" 'quoted-insert)
|
|
|
76 (define-key map "\177" 'delete-backward-char)
|
|
|
77 (define-key map "\M-n" 'passwd-next-history-element)
|
|
|
78 (define-key map "\M-p" 'passwd-previous-history-element)
|
|
|
79 map)
|
|
|
80 "Keymap used for reading passwords in the minibuffer.
|
|
|
81 The \"bindings\" in this map are not real commands; only a limited
|
|
|
82 number of commands are understood. The important bindings are:
|
|
|
83 \\<read-passwd-map>
|
|
|
84 \\[passwd-erase-buffer] Erase all input.
|
|
|
85 \\[quoted-insert] Insert the next character literally.
|
|
|
86 \\[delete-backward-char] Delete the previous character.
|
|
|
87 \\[exit-minibuffer] Accept what you have typed.
|
|
|
88 \\[keyboard-quit] Abort the command.
|
|
|
89
|
|
|
90 All other characters insert themselves (but do not echo.)")
|
|
|
91
|
|
|
92 ;;; internal variables
|
|
|
93
|
|
|
94 (defvar passwd-history nil)
|
|
|
95 (defvar passwd-history-posn 0)
|
|
|
96
|
|
|
97 ;;;###autoload
|
|
|
98 (defun read-passwd (prompt &optional confirm default)
|
|
|
99 "Prompts for a password in the minibuffer, and returns it as a string.
|
|
|
100 If PROMPT may be a prompt string or an alist of elements
|
|
|
101 '\(prompt . default\).
|
|
|
102 If optional arg CONFIRM is true, then ask the user to type the password
|
|
|
103 again to confirm that they typed it correctly.
|
|
|
104 If optional arg DEFAULT is provided, then it is a string to insert as
|
|
|
105 the default choice (it is not, of course, displayed.)
|
|
|
106
|
|
|
107 If running under X, the keyboard will be grabbed (with XGrabKeyboard())
|
|
70
|
108 to reduce the possibility that evesdropping is occuring.
|
|
0
|
109
|
|
|
110 When reading a password, all keys self-insert, except for:
|
|
|
111 \\<read-passwd-map>
|
|
|
112 \\[read-passwd-erase-line] Erase the entire line.
|
|
|
113 \\[quoted-insert] Insert the next character literally.
|
|
|
114 \\[delete-backward-char] Delete the previous character.
|
|
|
115 \\[exit-minibuffer] Accept what you have typed.
|
|
|
116 \\[keyboard-quit] Abort the command.
|
|
|
117
|
|
|
118 The returned value is always a newly-created string. No additional copies
|
|
|
119 of the password remain after this function has returned.
|
|
|
120
|
|
|
121 NOTE: unless great care is taken, the typed password will exist in plaintext
|
|
|
122 form in the running image for an arbitrarily long time. Priveleged users may
|
|
|
123 be able to extract it from memory. If emacs crashes, it may appear in the
|
|
|
124 resultant core file.
|
|
|
125
|
|
|
126 Some steps you can take to prevent the password from being copied around:
|
|
|
127
|
|
|
128 - as soon as you are done with the returned string, destroy it with
|
|
|
129 (fillarray string 0). The same goes for any default passwords
|
|
|
130 or password histories.
|
|
|
131
|
|
|
132 - do not copy the string, as with concat or substring - if you do, be
|
|
|
133 sure to keep track of and destroy all copies.
|
|
|
134
|
|
|
135 - do not insert the password into a buffer - if you do, be sure to
|
|
|
136 overwrite the buffer text before killing it, as with the functions
|
|
|
137 `passwd-erase-buffer' or `passwd-kill-buffer'. Note that deleting
|
|
|
138 the text from the buffer does NOT necessarily remove the text from
|
|
|
139 memory.
|
|
|
140
|
|
|
141 - be careful of the undo history - if you insert the password into a
|
|
|
142 buffer which has undo recording turned on, the password will be
|
|
|
143 copied onto the undo list, and thus recoverable.
|
|
|
144
|
|
|
145 - do not pass it as an argument to a shell command - anyone will be
|
|
|
146 able to see it if they run `ps' at the right time.
|
|
|
147
|
|
|
148 Note that the password will be temporarily recoverable with the `view-lossage'
|
|
|
149 command. This data will not be overwritten until another hundred or so
|
|
|
150 characters are typed. There's not currently a way around this."
|
|
|
151
|
|
|
152 (save-excursion
|
|
|
153 (let ((input (get-buffer-create " *password*"))
|
|
|
154 (passwd-history-posn 0)
|
|
|
155 passwd-history)
|
|
|
156 (if (listp prompt)
|
|
|
157 (setq passwd-history prompt
|
|
|
158 default (cdr (car passwd-history))))
|
|
|
159 (set-buffer input)
|
|
|
160 (buffer-disable-undo input)
|
|
|
161 (use-local-map read-passwd-map)
|
|
|
162 (unwind-protect
|
|
|
163 (progn
|
|
|
164 (if (passwd-grab-keyboard)
|
|
|
165 (passwd-secure-display))
|
|
|
166 (read-passwd-1 input prompt nil default)
|
|
|
167 (set-buffer input)
|
|
|
168
|
|
|
169 (if (not confirm)
|
|
|
170 (buffer-string)
|
|
|
171 (let ((ok nil)
|
|
|
172 passwd)
|
|
|
173 (while (not ok)
|
|
|
174 (set-buffer input)
|
|
|
175 (setq passwd (buffer-string))
|
|
|
176 (read-passwd-1 input prompt "[Retype to confirm]")
|
|
|
177 (if (passwd-compare-string-to-buffer passwd input)
|
|
|
178 (setq ok t)
|
|
|
179 (fillarray passwd 0)
|
|
|
180 (setq passwd nil)
|
|
|
181 (beep)
|
|
|
182 (read-passwd-1 input prompt "[Mismatch. Start over]")
|
|
|
183 ))
|
|
|
184 passwd)))
|
|
|
185 ;; protected
|
|
|
186 (passwd-ungrab-keyboard)
|
|
|
187 (passwd-insecure-display)
|
|
|
188 (passwd-kill-buffer input)
|
|
70
|
189 (if (fboundp 'clear-message) ;XEmacs
|
|
|
190 (clear-message)
|
|
|
191 (message ""))
|
|
0
|
192 ))))
|
|
|
193
|
|
|
194
|
|
|
195 (defun read-passwd-1 (buffer prompt &optional prompt2 default)
|
|
|
196 (set-buffer buffer)
|
|
|
197 (passwd-erase-buffer)
|
|
|
198 (if default (insert default))
|
|
|
199 (catch 'exit ; exit-minibuffer throws here
|
|
|
200 (while t
|
|
|
201 (set-buffer buffer)
|
|
|
202 (let* ((minibuffer-completion-table nil)
|
|
|
203 (cursor-in-echo-area t)
|
|
|
204 (echo-keystrokes 0)
|
|
|
205 (key (passwd-read-key-sequence
|
|
|
206 (concat (if (listp prompt)
|
|
|
207 (car (nth passwd-history-posn passwd-history))
|
|
|
208 prompt)
|
|
|
209 prompt2
|
|
|
210 (if passwd-echo
|
|
|
211 (make-string (buffer-size) passwd-echo)))))
|
|
|
212 (binding (key-binding key)))
|
|
|
213 (setq prompt2 nil)
|
|
|
214 (set-buffer buffer) ; just in case...
|
|
|
215 (if (fboundp 'event-to-character) ;; lemacs
|
|
|
216 (setq last-command-event (aref key (1- (length key)))
|
|
|
217 last-command-char (event-to-character last-command-event))
|
|
|
218 ;; v18/FSFmacs compatibility
|
|
|
219 (setq last-command-char (aref key (1- (length key)))))
|
|
|
220 (setq this-command binding)
|
|
|
221 (condition-case c
|
|
|
222 (command-execute binding)
|
|
|
223 (error
|
|
|
224 (beep)
|
|
|
225 (if (fboundp 'display-error)
|
|
|
226 (display-error c t)
|
|
|
227 ;; v18/FSFmacs compatibility
|
|
|
228 (message (concat (or (get (car-safe c) 'error-message) "???")
|
|
|
229 (if (cdr-safe c) ": ")
|
|
|
230 (mapconcat
|
|
|
231 (function (lambda (x) (format "%s" x)))
|
|
|
232 (cdr-safe c) ", "))))
|
|
|
233 (sit-for 2)))
|
|
|
234 ))))
|
|
|
235
|
|
|
236 (defun passwd-previous-history-element (n)
|
|
|
237 (interactive "p")
|
|
|
238 (or passwd-history
|
|
|
239 (error "Password history is empty."))
|
|
|
240 (let ((l (length passwd-history)))
|
|
|
241 (setq passwd-history-posn
|
|
|
242 (% (+ n passwd-history-posn) l))
|
|
|
243 (if (< passwd-history-posn 0)
|
|
|
244 (setq passwd-history-posn (+ passwd-history-posn l))))
|
|
|
245 (let ((obuff (current-buffer))) ; want to move point in passwd buffer
|
|
|
246 (unwind-protect
|
|
|
247 (progn
|
|
|
248 (set-buffer " *password*")
|
|
|
249 (passwd-erase-buffer)
|
|
|
250 (insert (cdr (nth passwd-history-posn passwd-history))))
|
|
|
251 (set-buffer obuff))))
|
|
|
252
|
|
|
253 (defun passwd-next-history-element (n)
|
|
|
254 (interactive "p")
|
|
|
255 (passwd-previous-history-element (- n)))
|
|
|
256
|
|
|
257 (defun passwd-erase-buffer ()
|
|
|
258 ;; First erase the buffer, which will simply enlarge the gap.
|
|
|
259 ;; Then insert null characters until the gap is filled with them
|
|
|
260 ;; to prevent the old text from being visible in core files or kmem.
|
|
|
261 ;; (Actually use 3x the size of the buffer just to be safe - a longer
|
|
|
262 ;; passwd might have been typed and backspaced over.)
|
|
|
263 (interactive)
|
|
|
264 (widen)
|
|
|
265 (let ((s (* (buffer-size) 3)))
|
|
|
266 (erase-buffer)
|
|
|
267 (while (> s 0)
|
|
|
268 (insert ?\000)
|
|
|
269 (setq s (1- s)))
|
|
|
270 (erase-buffer)))
|
|
|
271
|
|
|
272 (defun passwd-kill-buffer (buffer)
|
|
|
273 (save-excursion
|
|
|
274 (set-buffer buffer)
|
|
|
275 (buffer-disable-undo buffer)
|
|
|
276 (passwd-erase-buffer)
|
|
|
277 (set-buffer-modified-p nil))
|
|
|
278 (kill-buffer buffer))
|
|
|
279
|
|
|
280
|
|
|
281 (defun passwd-compare-string-to-buffer (string buffer)
|
|
|
282 ;; same as (equal string (buffer-string)) but with no dangerous consing.
|
|
|
283 (save-excursion
|
|
|
284 (set-buffer buffer)
|
|
|
285 (goto-char (point-min))
|
|
|
286 (let ((L (length string))
|
|
|
287 (i 0))
|
|
|
288 (if (/= L (- (point-max) (point-min)))
|
|
|
289 nil
|
|
|
290 (while (not (eobp))
|
|
|
291 (if (/= (following-char) (aref string i))
|
|
|
292 (goto-char (point-max))
|
|
|
293 (setq i (1+ i))
|
|
|
294 (forward-char)))
|
|
|
295 (= (point) (+ i (point-min)))))))
|
|
|
296
|
|
|
297
|
|
|
298 (defvar passwd-face-data nil)
|
|
|
299 (defun passwd-secure-display ()
|
|
|
300 ;; Inverts the screen - used to indicate secure input, like xterm.
|
|
|
301 (cond
|
|
|
302 ((and passwd-invert-frame-when-keyboard-grabbed
|
|
|
303 (fboundp 'set-face-foreground))
|
|
|
304 (setq passwd-face-data
|
|
|
305 (delq nil (mapcar (function
|
|
|
306 (lambda (face)
|
|
|
307 (let ((fg (face-foreground face))
|
|
|
308 (bg (face-background face)))
|
|
|
309 (if (or fg bg)
|
|
|
310 (if (fboundp 'color-name)
|
|
|
311 (list face
|
|
|
312 (color-name fg)
|
|
|
313 (color-name bg))
|
|
|
314 (list face fg bg))
|
|
|
315 nil))))
|
|
|
316 (if (fboundp 'list-faces)
|
|
|
317 (list-faces) ; lemacs
|
|
|
318 (face-list) ; FSFmacs
|
|
|
319 ))))
|
|
|
320 (let ((rest passwd-face-data))
|
|
|
321 (while rest
|
|
|
322 (set-face-foreground (nth 0 (car rest)) (nth 2 (car rest)))
|
|
|
323 (set-face-background (nth 0 (car rest)) (nth 1 (car rest)))
|
|
|
324 (setq rest (cdr rest))))))
|
|
|
325 nil)
|
|
|
326
|
|
|
327 (defun passwd-insecure-display ()
|
|
|
328 ;; Undoes the effect of `passwd-secure-display'.
|
|
|
329 (cond
|
|
|
330 (passwd-invert-frame-when-keyboard-grabbed
|
|
|
331 (while passwd-face-data
|
|
|
332 (set-face-foreground (nth 0 (car passwd-face-data))
|
|
|
333 (nth 1 (car passwd-face-data)))
|
|
|
334 (set-face-background (nth 0 (car passwd-face-data))
|
|
|
335 (nth 2 (car passwd-face-data)))
|
|
|
336 (setq passwd-face-data (cdr passwd-face-data)))
|
|
|
337 nil)))
|
|
|
338
|
|
|
339 (defun passwd-grab-keyboard ()
|
|
|
340 (cond ((not (and (fboundp 'x-grab-keyboard) ; lemacs 19.10+
|
|
|
341 (eq 'x (if (fboundp 'frame-type)
|
|
|
342 (frame-type (selected-frame))
|
|
|
343 (live-screen-p (selected-screen))))))
|
|
|
344 nil)
|
|
|
345 ((x-grab-keyboard)
|
|
|
346 t)
|
|
|
347 (t
|
|
|
348 (message "Unable to grab keyboard - waiting a second...")
|
|
|
349 (sleep-for 1)
|
|
|
350 (cond ((x-grab-keyboard)
|
|
|
351 (message "Keyboard grabbed on second try.")
|
|
|
352 t)
|
|
|
353 (t
|
|
|
354 (beep)
|
|
|
355 (message "WARNING: keyboard is insecure (unable to grab!)")
|
|
|
356 (sleep-for 3)
|
|
|
357 nil)))))
|
|
|
358
|
|
|
359 (defun passwd-ungrab-keyboard ()
|
|
|
360 (if (and (fboundp 'x-ungrab-keyboard) ; lemacs 19.10+
|
|
|
361 (eq 'x (if (fboundp 'frame-type)
|
|
|
362 (frame-type (selected-frame))
|
|
|
363 (live-screen-p (selected-screen)))))
|
|
|
364 (x-ungrab-keyboard)))
|
|
|
365
|
|
|
366 ;; v18 compatibility
|
|
|
367 (or (fboundp 'buffer-disable-undo)
|
|
|
368 (fset 'buffer-disable-undo 'buffer-flush-undo))
|
|
|
369
|
|
|
370 ;; read-key-sequence echoes the key sequence in Emacs 18.
|
|
|
371 (defun passwd-read-key-sequence (prompt)
|
|
|
372 (let ((inhibit-quit t)
|
|
|
373 str)
|
|
|
374 (while (or (null str) (keymapp (key-binding str)))
|
|
70
|
375 (if (fboundp 'display-message)
|
|
|
376 (display-message 'prompt prompt)
|
|
|
377 (message prompt))
|
|
0
|
378 (setq str (concat str (char-to-string (read-char)))))
|
|
|
379 (setq quit-flag nil)
|
|
|
380 str))
|
|
|
381
|
|
|
382 (or (string-match "^18" emacs-version)
|
|
|
383 (fset 'passwd-read-key-sequence 'read-key-sequence))
|
|
|
384
|
|
|
385 (provide 'passwd)
|
|
|
386
|
|
|
387 ;;; passwd.el ends here
|
