aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--AUTHORS1
-rw-r--r--ChangeLog67
-rw-r--r--configure.ac27
-rw-r--r--krb5-auth-dialog.doap17
-rw-r--r--preferences/krb5-auth-dialog-preferences.c74
-rw-r--r--preferences/krb5-auth-dialog-preferences.glade49
-rw-r--r--src/krb5-auth-applet.c22
-rw-r--r--src/krb5-auth-dialog.c67
-rw-r--r--src/krb5-auth-dialog.schemas.in17
-rw-r--r--src/krb5-auth-gconf-tools.h1
-rw-r--r--src/krb5-auth-gconf.c22
11 files changed, 311 insertions, 53 deletions
diff --git a/AUTHORS b/AUTHORS
index 031f294..695d287 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -1,3 +1,4 @@
Christopher Aillon <caillon@redhat.com>
Jonathan Blandford <jrb@redhat.com>
+Colin Walters <walters@verbum.org>
Guido Günther <agx@sigxcpu.org>
diff --git a/ChangeLog b/ChangeLog
index e253814..3a03eae 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,45 @@
-Sa Apr 4 11:15:39 CEST 2009 Guido Günther <agx@sigxcpu.org>
+Sat Apr 18 00:19:02 CEST 2009 Guido Günther <agx@sigxcpu.org>
+
+ * src/krb5-auth-gconf.c (ka_gconf_set_principal): handle length zero
+ KA_GCONF_KEY_PRINCIPAL
+
+Fri Apr 17 13:36:00 CEST 2009 Guido Günther <agx@sigxcpu.org>
+
+ * preferences/krb5-auth-dialog-preferences.glade: mark GtkEntrys
+ activates_default and close button as has_default.
+
+Fri Apr 17 13:20:09 CEST 2009 Guido Günther <agx@sigxcpu.org>
+
+ make pkinit anchors configurable and pass pkinit options to
+ krb5_get_init_creds_opt_set_pa (MIT pkinit), if available.
+ * configure.ac: check for krb5_get_init_creds_opt_set_pa
+ * preferences/krb5-auth-dialog-preferences.c
+ (ka_preferences_pkanchors_notify,
+ ka_preferences_dialog_pkanchors_changed,
+ ka_preferences_dialog_setup_pkanchors_entry): new functions
+ (ka_preferences_dialog_init: call
+ ka_preferences_dialog_setup_pkanchors_entry to handle pk_anchors
+ * preferences/krb5-auth-dialog-preferences.glade: add pkanchors_entry
+ GtkEntry
+ * src/krb5-auth-applet.c (ka_applet-{set,get}_property,
+ ka_applet_class_init): handle pk-anchors property
+ * src/krb5-auth-dialog.c (ka_set_ticket_options): pass pkinit userid
+ and anchors to krb5_get_init_creds_opt_set_pa if available.
+ (ka_auth_pkinit): rename to ka_auth_heimdal_pkinit
+ (ka_auth_heimdal_pkinit): pass pk_anchors
+ (grab_credentials): fetch pk_anchors from pk-anchors property and
+ pass it to ka_auth_{password,heimdal_pkinit}
+ * src/krb5-auth-gconf.c (ka_gconf_set_pk_anchors): new function
+ (ka_gconf_key_changed_callback): handle pk_anchors
+ (ka_gconf_init); likewise
+ * src/krb5-auth-gconf-tools.h: add pk_anchors
+ * src/krb5-auth-dialog.schemas.in: add pk_anchors
+
+Fri Apr 17 13:19:18 CEST 2009 Guido Günther <agx@sigxcpu.org>
+
+ * AUTHORS: add Colin
+
+Sat Apr 4 11:15:39 CEST 2009 Guido Günther <agx@sigxcpu.org>
GtkSecureEntry warning fixes:
* gtksecentry/gtksecentry.c (gtk_secure_entry_state_changed: drop
@@ -21,7 +62,7 @@ Sa Apr 4 11:15:39 CEST 2009 Guido Günther <agx@sigxcpu.org>
(gtk_secure_entry_layout_index_to_text_index): likewise
(gtk_secure_entry_text_index_to_layout_index): likewise
-Sa Apr 4 11:06:45 CEST 2009 Guido Günther <agx@sigxcpu.org>
+Sat Apr 4 11:06:45 CEST 2009 Guido Günther <agx@sigxcpu.org>
add preferences capplet
* preferences/{krb5-auth-dialog-preferences.{c,glade,desktop.in},
@@ -32,7 +73,7 @@ Sa Apr 4 11:06:45 CEST 2009 Guido Günther <agx@sigxcpu.org>
preferences
(ka_applet_create_context_menu): add preferences context menu entry
-Sa Apr 4 10:57:23 CEST 2009 Guido Günther <agx@sigxcpu.org>
+Sat Apr 4 10:57:23 CEST 2009 Guido Günther <agx@sigxcpu.org>
allow to set ticket proxiable, renewable and forwardable ticket flags
via gconf
@@ -47,7 +88,7 @@ Sa Apr 4 10:57:23 CEST 2009 Guido Günther <agx@sigxcpu.org>
boolean gconf keys
* src/krb5-auth-dialog.schemas.in: add new gconf keys to schema
-Sa Apr 4 10:52:53 CEST 2009 Guido Günther <agx@sigxcpu.org>
+Sat Apr 4 10:52:53 CEST 2009 Guido Günther <agx@sigxcpu.org>
split out gconf tool functions
* src/krb5-auth-gconf-tools.h: new file
@@ -56,13 +97,13 @@ Sa Apr 4 10:52:53 CEST 2009 Guido Günther <agx@sigxcpu.org>
src/krb5-auth-gconf-tools.c
(KA_GCONF_*): move to src/krb5-auth-gconf-tools.h
-Sa Mär 28 14:17:49 CET 2009 Guido Günther <agx@sigxcpu.org>
+Sat Mär 28 14:17:49 CET 2009 Guido Günther <agx@sigxcpu.org>
add dbus service file
* src/org.gnome.KrbAuthDialog.service.in: new file
* src/Makefile.am (service_DATA): process annd install service file
-Di Mär 24 00:04:50 CET 2009 Guido Günther <agx@sigxcpu.org>
+Tue Mär 24 00:04:50 CET 2009 Guido Günther <agx@sigxcpu.org>
monitor ccache via GFileMontor
* src/krb5-auth-dialog.c (monitor_ccache, ka_ccache_filename,
@@ -70,7 +111,7 @@ Di Mär 24 00:04:50 CET 2009 Guido Günther <agx@sigxcpu.org>
(main): monitor ccache via monitor_ccache
* configure.ac: look for gio-unix
-Di Mär 24 00:01:28 CET 2009 Guido Günther <agx@sigxcpu.org>
+Tue Mär 24 00:01:28 CET 2009 Guido Günther <agx@sigxcpu.org>
* src/krb5-auth-dialog.c (auth_dialog_prompter): handle
GTK_RESPONSE_DELETE_EVENT like GTK_RESPONSE_CANCEL so pressing ESC or
@@ -79,34 +120,34 @@ Di Mär 24 00:01:28 CET 2009 Guido Günther <agx@sigxcpu.org>
kerberos error codes - more robust since heimdal and mit have different
responses, let alone pkinit.
-Mo Mär 23 23:57:36 CET 2009 Guido Günther <agx@sigxcpu.org>
+Mon Mär 23 23:57:36 CET 2009 Guido Günther <agx@sigxcpu.org>
split password auth into a separate function
* src/krb5-auth-dialog.c (ka_auth_password): new function
(grab_credentials): fall back to password auth if no token is
present and pkinit is enabled
-Mo Mär 23 23:55:20 CET 2009 Guido Günther <agx@sigxcpu.org>
+Mon Mär 23 23:55:20 CET 2009 Guido Günther <agx@sigxcpu.org>
* src/krb5-auth-pwdialog.h: remove unused headers
* src/krb5-auth-applet.h: likewise
* src/krb5-auth-dialog.c (is_online): move static variable to the top
-Mi Mär 11 17:21:07 CET 2009 Guido Günther <agx@sigxcpu.org>
+Wed Mär 11 17:21:07 CET 2009 Guido Günther <agx@sigxcpu.org>
silence compiler warnings
* src/krb5-auth-{applet,dialog,gconf,pwdialog}.[ch]: mark unused
parameters as G_GNUC_UNUSED or drop them, add missing void to
prototypes
-Mi Mär 11 17:19:02 CET 2009 Guido Günther <agx@sigxcpu.org>
+Mon Mär 11 17:19:02 CET 2009 Guido Günther <agx@sigxcpu.org>
add more compiler warnings
* acinclude.m4: add KA_COMPILE_WARNINGS
* compiler-flags.m4: add gl_COMPILER_FLAGS to test compiler options
* configure.ac: call KA_COMPILE_WARNINGS and add WARN_CFLAGS to CFLAGS
-Mi Mär 11 17:10:11 CET 2009 Guido Günther <agx@sigxcpu.org>
+Wed Mär 11 17:10:11 CET 2009 Guido Günther <agx@sigxcpu.org>
push the dialog into the foreground and grab the keyboard so we make
sure the user gets to see the dialog in all cases (e.g. when an app is
@@ -117,7 +158,7 @@ Mi Mär 11 17:10:11 CET 2009 Guido Günther <agx@sigxcpu.org>
window_state_changed): new functions
(ka_pwdialog_run): use these
-Mi Mär 11 17:04:03 CET 2009 Guido Günther <agx@sigxcpu.org>
+Wed Mär 11 17:04:03 CET 2009 Guido Günther <agx@sigxcpu.org>
add a pwdialog gobject - remove lots of duplicate code and splits most
of the password dialog handling into its own file
diff --git a/configure.ac b/configure.ac
index be95999..3b9c983 100644
--- a/configure.ac
+++ b/configure.ac
@@ -65,10 +65,13 @@ AC_CHECK_MEMBERS(krb5_creds.flags.b.forwardable,,,[#include <krb5.h>])
AC_CHECK_MEMBERS(krb5_creds.flags.b.renewable,,,[#include <krb5.h>])
AC_CHECK_MEMBERS(krb5_creds.flags.b.proxiable,,,[#include <krb5.h>])
AC_CHECK_MEMBERS(krb5_creds.flags,,,[#include <krb5.h>])
-AC_CHECK_FUNCS([krb5_get_error_message])
-AC_CHECK_FUNCS([krb5_get_renewed_creds])
-AC_CHECK_FUNCS([krb5_get_init_creds_opt_set_default_flags])
-AC_CHECK_FUNCS([krb5_cc_clear_mcred])
+AC_CHECK_FUNCS([krb5_get_error_message krb5_get_renewed_creds \
+ krb5_get_init_creds_opt_set_default_flags \
+ krb5_cc_clear_mcred])
+AC_CHECK_FUNCS([krb5_get_init_creds_opt_set_pkinit],
+ [heimdal_pkinit=yes],[heimdal_pkinit=no])
+AC_CHECK_FUNCS([krb5_get_init_creds_opt_set_pa],
+ [mit_pkinit=yes],[mit_pkinit=no])
AC_MSG_CHECKING(if a krb5_principal->realm is a char*)
AC_COMPILE_IFELSE([
$ac_includes_default
@@ -95,29 +98,25 @@ main(int argc, char **argv)
foo->realm = bar;
return 0;
}],[AC_DEFINE(HAVE_KRB5_PRINCIPAL_REALM_AS_DATA,1,[Define if the realm of a krb5_principal is a krb5_data])
-AC_MSG_RESULT(yes)],
-AC_MSG_RESULT(no))
+AC_MSG_RESULT(yes)], AC_MSG_RESULT(no))
+
dnl pkinit
AC_MSG_CHECKING([whether to enable pkinit support])
AC_ARG_ENABLE([pkinit],
AS_HELP_STRING([--enable-pkinit],[whether to enable preauth via pkinit support]),
[],[enable_pkinit=autodetect])
-AC_MSG_RESULT([$enable_pkinit])
-if test "x$enable_pkinit" != "xno"; then
- AC_CHECK_FUNCS([krb5_get_init_creds_opt_set_pkinit],
- [enable_pkinit=yes],[enable_pkinit=no])
-fi
-
-if test "x$enable_pkinit" = "xyes"; then
+if test "x$heimdal_pkinit" = "xyes" -o \
+ "x$mit_pkinit" = "xyes"; then
+ enable_pkinit=yes
AC_DEFINE([ENABLE_PKINIT],[1],[Define for pkinit support])
fi
+AC_MSG_RESULT([$enable_pkinit])
AM_CONDITIONAL([ENABLE_PKINIT],[test "x$enable_pkinit" = "xyes"])
CFLAGS="$savedCFLAGS"
LIBS="$savedLIBS"
-
dnl NetworkManager
AC_MSG_CHECKING([whether to enable NetworkManager support])
AC_ARG_ENABLE([network-manager],
diff --git a/krb5-auth-dialog.doap b/krb5-auth-dialog.doap
new file mode 100644
index 0000000..af2d09c
--- /dev/null
+++ b/krb5-auth-dialog.doap
@@ -0,0 +1,17 @@
+<Project xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+ xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#"
+ xmlns:foaf="http://xmlns.com/foaf/0.1/"
+ xmlns:gnome="http://api.gnome.org/doap-extensions#"
+ xmlns="http://usefulinc.com/ns/doap#">
+ <name xml:lang="en">krb5-auth-dialog</name>
+ <shortdesc xml:lang="en">Tray applet to acquire, monitor and refresh Kerberos tickets</shortdesc>
+ <homepage rdf:resource="https://honk.sigxcpu.org/piki/projects/krb5-auth-dialog/" />
+ <maintainer>
+ <foaf:Person>
+ <foaf:name>Guido Günther</foaf:name>
+ <foaf:mbox rdf:resource="agx@sigxcpu.org" />
+ <gnome:userid>guidog</gnome:userid>
+ </foaf:Person>
+ </maintainer>
+</Project>
+
diff --git a/preferences/krb5-auth-dialog-preferences.c b/preferences/krb5-auth-dialog-preferences.c
index caf9ed9..ab463a0 100644
--- a/preferences/krb5-auth-dialog-preferences.c
+++ b/preferences/krb5-auth-dialog-preferences.c
@@ -36,7 +36,7 @@
#include "krb5-auth-gconf-tools.h"
-#define N_LISTENERS 7
+#define N_LISTENERS 8
typedef struct {
GladeXML *xml;
@@ -45,6 +45,7 @@ typedef struct {
GtkWidget *dialog;
GtkWidget *principal_entry;
GtkWidget *pkuserid_entry;
+ GtkWidget *pkanchors_entry;
GtkWidget *forwardable_toggle;
GtkWidget *proxiable_toggle;
GtkWidget *renewable_toggle;
@@ -198,6 +199,76 @@ ka_preferences_dialog_setup_pkuserid_entry (KaPreferencesDialog *dialog)
static void
+ka_preferences_pkanchors_notify (GConfClient *client G_GNUC_UNUSED,
+ guint cnx_id G_GNUC_UNUSED,
+ GConfEntry *entry,
+ KaPreferencesDialog *dialog)
+{
+ const char *pkanchors;
+
+ if (!entry->value || entry->value->type != GCONF_VALUE_STRING)
+ return;
+
+ pkanchors = gconf_value_get_string (entry->value);
+
+ if (!pkanchors || !strlen(pkanchors))
+ gtk_entry_set_text (GTK_ENTRY (dialog->pkanchors_entry), "");
+ else {
+ const char *old_pkanchors;
+
+ old_pkanchors = gtk_entry_get_text (GTK_ENTRY (dialog->pkanchors_entry));
+ if (!old_pkanchors || (old_pkanchors && strcmp (old_pkanchors, pkanchors)))
+ gtk_entry_set_text (GTK_ENTRY (dialog->pkanchors_entry), pkanchors);
+ }
+}
+
+
+static void
+ka_preferences_dialog_pkanchors_changed (GtkEntry *entry,
+ KaPreferencesDialog *dialog)
+{
+ const char *pkanchors;
+
+ pkanchors = gtk_entry_get_text (entry);
+
+ if (!pkanchors || !strlen(pkanchors))
+ gconf_client_unset (dialog->client, KA_GCONF_KEY_PK_ANCHORS, NULL);
+ else
+ gconf_client_set_string (dialog->client, KA_GCONF_KEY_PK_ANCHORS, pkanchors, NULL);
+}
+
+
+static void
+ka_preferences_dialog_setup_pkanchors_entry (KaPreferencesDialog *dialog)
+{
+ char *pkanchors = NULL;
+
+ dialog->pkanchors_entry = glade_xml_get_widget (dialog->xml, "pkanchors_entry");
+ g_assert (dialog->pkanchors_entry != NULL);
+
+ if (!ka_gconf_get_string (dialog->client, KA_GCONF_KEY_PK_ANCHORS, &pkanchors))
+ g_warning ("Getting pkanchors failed");
+
+ if (pkanchors && strlen(pkanchors))
+ gtk_entry_set_text (GTK_ENTRY (dialog->pkanchors_entry), pkanchors);
+ if (pkanchors)
+ g_free (pkanchors);
+
+ g_signal_connect (dialog->pkanchors_entry, "changed",
+ G_CALLBACK (ka_preferences_dialog_pkanchors_changed), dialog);
+ if (!gconf_client_key_is_writable (dialog->client, KA_GCONF_KEY_PK_ANCHORS, NULL)) {
+ gtk_widget_set_sensitive (dialog->pkanchors_entry, FALSE);
+ }
+
+ dialog->listeners [dialog->n_listeners] = gconf_client_notify_add (dialog->client,
+ KA_GCONF_KEY_PK_ANCHORS,
+ (GConfClientNotifyFunc) ka_preferences_pkanchors_notify,
+ dialog, NULL, NULL);
+ dialog->n_listeners++;
+}
+
+
+static void
ka_preferences_dialog_forwardable_toggled (GtkToggleButton *toggle,
KaPreferencesDialog *dialog)
{
@@ -552,6 +623,7 @@ ka_preferences_dialog_init(KaPreferencesDialog* dialog)
ka_preferences_dialog_setup_principal_entry (dialog);
ka_preferences_dialog_setup_pkuserid_entry (dialog);
+ ka_preferences_dialog_setup_pkanchors_entry(dialog);
ka_preferences_dialog_setup_forwardable_toggle (dialog);
ka_preferences_dialog_setup_proxiable_toggle (dialog);
ka_preferences_dialog_setup_renewable_toggle (dialog);
diff --git a/preferences/krb5-auth-dialog-preferences.glade b/preferences/krb5-auth-dialog-preferences.glade
index b4e5cd5..8e23b2f 100644
--- a/preferences/krb5-auth-dialog-preferences.glade
+++ b/preferences/krb5-auth-dialog-preferences.glade
@@ -1,6 +1,6 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE glade-interface SYSTEM "glade-2.0.dtd">
-<!--Generated with glade3 3.4.5 on Thu Apr 2 18:10:14 2009 -->
+<!--Generated with glade3 3.4.5 on Tue Apr 14 22:22:46 2009 -->
<glade-interface>
<widget class="GtkDialog" id="krb5_auth_dialog_prefs">
<property name="border_width">5</property>
@@ -87,6 +87,7 @@
<widget class="GtkEntry" id="principal_entry">
<property name="visible">True</property>
<property name="can_focus">True</property>
+ <property name="activates_default">True</property>
</widget>
<packing>
<property name="position">1</property>
@@ -128,6 +129,7 @@
<property name="visible">True</property>
<property name="can_focus">True</property>
<property name="tooltip" translatable="yes">The principal's public/private/certificate identifier. Leave empty if not using PKINIT.</property>
+ <property name="activates_default">True</property>
</widget>
<packing>
<property name="position">1</property>
@@ -138,6 +140,48 @@
<property name="position">3</property>
</packing>
</child>
+ <child>
+ <widget class="GtkLabel" id="label3">
+ <property name="visible">True</property>
+ <property name="xalign">0</property>
+ <property name="label" translatable="yes">PKINT anchors:</property>
+ </widget>
+ <packing>
+ <property name="expand">False</property>
+ <property name="fill">False</property>
+ <property name="position">4</property>
+ </packing>
+ </child>
+ <child>
+ <widget class="GtkHBox" id="hbox12">
+ <property name="visible">True</property>
+ <property name="spacing">6</property>
+ <child>
+ <widget class="GtkLabel" id="label20">
+ <property name="visible">True</property>
+ <property name="label" translatable="yes"> </property>
+ </widget>
+ <packing>
+ <property name="expand">False</property>
+ <property name="fill">False</property>
+ </packing>
+ </child>
+ <child>
+ <widget class="GtkEntry" id="pkanchors_entry">
+ <property name="visible">True</property>
+ <property name="can_focus">True</property>
+ <property name="tooltip" translatable="yes">Path to CA certificates used as trust anchors for PKINIT</property>
+ <property name="activates_default">True</property>
+ </widget>
+ <packing>
+ <property name="position">1</property>
+ </packing>
+ </child>
+ </widget>
+ <packing>
+ <property name="position">5</property>
+ </packing>
+ </child>
</widget>
<packing>
<property name="position">1</property>
@@ -392,6 +436,7 @@
<property name="visible">True</property>
<property name="can_focus">True</property>
<property name="tooltip" translatable="yes">Send notification about ticket expiry that many minutes before it finally expires. </property>
+ <property name="activates_default">True</property>
<property name="adjustment">0 0 100 1 10 10</property>
</widget>
<packing>
@@ -552,6 +597,8 @@
<widget class="GtkButton" id="button1">
<property name="visible">True</property>
<property name="can_focus">True</property>
+ <property name="can_default">True</property>
+ <property name="has_default">True</property>
<property name="receives_default">True</property>
<property name="label" translatable="yes">gtk-close</property>
<property name="use_stock">True</property>
diff --git a/src/krb5-auth-applet.c b/src/krb5-auth-applet.c
index daaef2e..6e02ed8 100644
--- a/src/krb5-auth-applet.c
+++ b/src/krb5-auth-applet.c
@@ -41,6 +41,7 @@ enum
KA_PROP_0 = 0,
KA_PROP_PRINCIPAL,
KA_PROP_PK_USERID,
+ KA_PROP_PK_ANCHORS,
KA_PROP_TRAYICON,
KA_PROP_PW_PROMPT_MINS,
KA_PROP_TGT_FORWARDABLE,
@@ -76,6 +77,7 @@ struct _KaAppletPrivate
char* principal; /* the principal to request */
gboolean renewable; /* credentials renewable? */
char* pk_userid; /* "userid" for pkint */
+ char* pk_anchors; /* trust anchors for pkint */
gboolean tgt_forwardable; /* request a forwardable ticket */
gboolean tgt_renewable; /* request a renewable ticket */
gboolean tgt_proxiable; /* request a proxiable ticket */
@@ -102,6 +104,12 @@ ka_applet_set_property (GObject *object,
KA_DEBUG ("%s: %s", pspec->name, self->priv->pk_userid);
break;
+ case KA_PROP_PK_ANCHORS:
+ g_free (self->priv->pk_anchors);
+ self->priv->pk_anchors = g_value_dup_string (value);
+ KA_DEBUG ("%s: %s", pspec->name, self->priv->pk_anchors);
+ break;
+
case KA_PROP_TRAYICON:
self->priv->show_trayicon = g_value_get_boolean (value);
KA_DEBUG ("%s: %s", pspec->name, self->priv->show_trayicon ? "True" : "False");
@@ -152,6 +160,10 @@ ka_applet_get_property (GObject *object,
g_value_set_string (value, self->priv->pk_userid);
break;
+ case KA_PROP_PK_ANCHORS:
+ g_value_set_string (value, self->priv->pk_anchors);
+ break;
+
case KA_PROP_TRAYICON:
g_value_set_boolean (value, self->priv->show_trayicon);
break;
@@ -207,6 +219,7 @@ ka_applet_finalize(GObject *object)
g_free (applet->priv->principal);
g_free (applet->priv->pk_userid);
+ g_free (applet->priv->pk_anchors);
/* no need to free applet->priv */
if (parent_class->finalize != NULL)
@@ -252,6 +265,15 @@ ka_applet_class_init(KaAppletClass *klass)
KA_PROP_PK_USERID,
pspec);
+ pspec = g_param_spec_string ("pk-anchors",
+ "PKinit trust anchors",
+ "Get/Set Pkinit trust anchors",
+ "",
+ G_PARAM_CONSTRUCT | G_PARAM_READWRITE);
+ g_object_class_install_property (object_class,
+ KA_PROP_PK_ANCHORS,
+ pspec);
+
pspec = g_param_spec_boolean("show-trayicon",
"Show tray icon",
"Show/Hide the tray icon",
diff --git a/src/krb5-auth-dialog.c b/src/krb5-auth-dialog.c
index c443cd3..32cc016 100644
--- a/src/krb5-auth-dialog.c
+++ b/src/krb5-auth-dialog.c
@@ -382,14 +382,14 @@ out:
* set ticket options by looking at krb5.conf and gconf
*/
static void
-ka_set_ticket_options(KaApplet* applet,
- krb5_get_init_creds_opt *out)
+ka_set_ticket_options(KaApplet* applet, krb5_context context,
+ krb5_get_init_creds_opt *out,
+ const char* pk_userid, const char* pk_anchors)
{
gboolean flag;
-
#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_DEFAULT_FLAGS
- krb5_get_init_creds_opt_set_default_flags(kcontext, PACKAGE,
- krb5_principal_get_realm(kcontext, kprincipal), out);
+ krb5_get_init_creds_opt_set_default_flags(context, PACKAGE,
+ krb5_principal_get_realm(context, kprincipal), out);
#endif
g_object_get(applet, "tgt-forwardable", &flag, NULL);
if (flag)
@@ -402,6 +402,20 @@ ka_set_ticket_options(KaApplet* applet,
krb5_deltat r = 3600*24*30; /* 1 month */
krb5_get_init_creds_opt_set_renew_life (out, r);
}
+
+#if ENABLE_PKINIT && HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PA
+ /* pkinit optins for MIT Kerberos */
+ if (pk_userid && strlen(pk_userid)) {
+ KA_DEBUG("pkinit with '%s'", pk_userid);
+ krb5_get_init_creds_opt_set_pa(context, out,
+ "X509_user_identity", pk_userid);
+ if (pk_anchors && strlen(pk_anchors)) {
+ KA_DEBUG("pkinit anchors '%s'", pk_anchors);
+ krb5_get_init_creds_opt_set_pa(context, out,
+ "X509_anchors", pk_anchors);
+ }
+ }
+#endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PA */
}
@@ -445,24 +459,29 @@ set_options_from_creds(const KaApplet* applet,
}
-#ifdef ENABLE_PKINIT
+#if ENABLE_PKINIT && HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PKINIT
static krb5_error_code
-ka_auth_pkinit(KaApplet* applet, krb5_creds* creds, const char* pk_userid)
+ka_auth_heimdal_pkinit(KaApplet* applet, krb5_creds* creds,
+ const char* pk_userid, const char* pk_anchors)
{
krb5_get_init_creds_opt *opts = NULL;
krb5_error_code retval;
+ const char* pkinit_anchors = NULL;
KA_DEBUG("pkinit with '%s'", pk_userid);
+ if (pk_anchors && strlen (pk_anchors)) {
+ pkinit_anchors = pk_anchors;
+ KA_DEBUG("pkinit anchors '%s'", pkinit_anchors);
+ }
- retval = krb5_get_init_creds_opt_alloc (kcontext, &opts);
- if (retval)
+ if ((retval = krb5_get_init_creds_opt_alloc (kcontext, &opts)))
goto out;
- ka_set_ticket_options (applet, opts);
+ ka_set_ticket_options (applet, kcontext, opts, NULL, NULL);
retval = krb5_get_init_creds_opt_set_pkinit(kcontext, opts,
kprincipal,
pk_userid,
- NULL, /* x509 anchors */
+ pkinit_anchors,
NULL,
NULL,
0, /* pk_use_enc_key */
@@ -484,15 +503,17 @@ out:
#endif /* ! ENABLE_PKINIT */
static krb5_error_code
-ka_auth_password(KaApplet* applet, krb5_creds* creds)
+ka_auth_password(KaApplet* applet, krb5_creds* creds,
+ const char* pk_userid, const char* pk_anchors)
{
krb5_error_code retval;
krb5_get_init_creds_opt *opts = NULL;
- retval = krb5_get_init_creds_opt_alloc (kcontext, &opts);
- if (retval)
+ if ((retval = krb5_get_init_creds_opt_alloc (kcontext, &opts)))
goto out;
- ka_set_ticket_options (applet, opts);
+ ka_set_ticket_options (applet, kcontext, opts,
+ pk_userid, pk_anchors);
+
retval = krb5_get_init_creds_password(kcontext, creds, kprincipal,
NULL, auth_dialog_prompter, applet,
0, NULL, opts);
@@ -585,6 +606,7 @@ grab_credentials (KaApplet* applet)
krb5_creds my_creds;
krb5_ccache ccache;
gchar *pk_userid = NULL;
+ gchar *pk_anchors = NULL;
gboolean pw_auth = TRUE;
memset(&my_creds, 0, sizeof(my_creds));
@@ -599,18 +621,22 @@ grab_credentials (KaApplet* applet)
if (retval)
goto out2;
- g_object_get(applet, "pk-userid", &pk_userid, NULL);
-#ifdef ENABLE_PKINIT
+ g_object_get(applet, "pk-userid", &pk_userid,
+ "pk-anchors", &pk_anchors,
+ NULL);
+#if ENABLE_PKINIT && HAVE_HX509_ERR_H && HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PKINIT
/* pk_userid set: try pkinit */
if (pk_userid && strlen(pk_userid)) {
- retval = ka_auth_pkinit(applet, &my_creds, pk_userid);
+ retval = ka_auth_heimdal_pkinit(applet, &my_creds,
+ pk_userid, pk_anchors);
/* other error than: "no token found" - no need to try password auth: */
if (retval != HX509_PKCS11_NO_TOKEN && retval != HX509_PKCS11_NO_SLOT)
pw_auth = FALSE;
}
#endif /* ENABLE_PKINIT */
if (pw_auth)
- retval = ka_auth_password(applet, &my_creds);
+ retval = ka_auth_password(applet, &my_creds,
+ pk_userid, pk_anchors);
creds_expiry = my_creds.times.endtime;
if (canceled)
@@ -621,8 +647,7 @@ grab_credentials (KaApplet* applet)
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
#ifdef HAVE_HX509_ERR_H
case HX509_PKCS11_LOGIN:
-#endif
- /* Invalid password/pin, try again. */
+#endif /* Invalid password/pin, try again. */
invalid_auth = TRUE;
break;
default:
diff --git a/src/krb5-auth-dialog.schemas.in b/src/krb5-auth-dialog.schemas.in
index 13b05b2..4b7adb8 100644
--- a/src/krb5-auth-dialog.schemas.in
+++ b/src/krb5-auth-dialog.schemas.in
@@ -34,8 +34,21 @@
<default></default>
<locale name="C">
- <short>Pkinit identifier</short>
- <long>The principal's public/private/certificate identifier when using pkinit</long>
+ <short>PKINIT identifier</short>
+ <long>The principal's public/private/certificate identifier when using PKINIT</long>
+ </locale>
+ </schema>
+
+ <schema>
+ <key>/schemas/apps/::PACKAGE::/pk_anchors</key>
+ <applyto>/apps/::PACKAGE::/pk_anchors</applyto>
+ <owner>::PACKAGE::</owner>
+ <type>string</type>
+ <default></default>
+
+ <locale name="C">
+ <short>PKINIT trust anchors</short>
+ <long>PKINIT CA certificates</long>
</locale>
</schema>
diff --git a/src/krb5-auth-gconf-tools.h b/src/krb5-auth-gconf-tools.h
index 9786b2f..9f9020f 100644
--- a/src/krb5-auth-gconf-tools.h
+++ b/src/krb5-auth-gconf-tools.h
@@ -28,6 +28,7 @@
#define KA_GCONF_PATH "/apps/" PACKAGE
#define KA_GCONF_KEY_PRINCIPAL KA_GCONF_PATH "/principal"
#define KA_GCONF_KEY_PK_USERID KA_GCONF_PATH "/pk_userid"
+#define KA_GCONF_KEY_PK_ANCHORS KA_GCONF_PATH "/pk_anchors"
#define KA_GCONF_KEY_PROMPT_MINS KA_GCONF_PATH "/prompt_minutes"
#define KA_GCONF_KEY_SHOW_TRAYICON KA_GCONF_PATH "/show_trayicon"
#define KA_GCONF_KEY_FORWARDABLE KA_GCONF_PATH "/forwardable"
diff --git a/src/krb5-auth-gconf.c b/src/krb5-auth-gconf.c
index 25eb555..497b1a7 100644
--- a/src/krb5-auth-gconf.c
+++ b/src/krb5-auth-gconf.c
@@ -20,6 +20,7 @@
#include "config.h"
#include <gconf/gconf-client.h>
+#include <string.h>
#include "krb5-auth-applet.h"
#include "krb5-auth-gconf-tools.h"
@@ -30,7 +31,9 @@ ka_gconf_set_principal (GConfClient* client, KaApplet* applet)
{
gchar* principal = NULL;
- if(!ka_gconf_get_string (client, KA_GCONF_KEY_PRINCIPAL, &principal)) {
+ if(!ka_gconf_get_string (client, KA_GCONF_KEY_PRINCIPAL, &principal)
+ || !strlen(principal)) {
+ g_free (principal);
principal = g_strdup (g_get_user_name());
}
g_object_set(applet, "principal", principal, NULL);
@@ -54,6 +57,20 @@ ka_gconf_set_pk_userid (GConfClient* client, KaApplet* applet)
static gboolean
+ka_gconf_set_pk_anchors (GConfClient* client, KaApplet* applet)
+{
+ gchar* pk_anchors = NULL;
+
+ if(!ka_gconf_get_string (client, KA_GCONF_KEY_PK_ANCHORS, &pk_anchors)) {
+ pk_anchors = g_strdup ("");
+ }
+ g_object_set(applet, "pk_anchors", pk_anchors, NULL);
+ g_free (pk_anchors);
+ return TRUE;
+}
+
+
+static gboolean
ka_gconf_set_prompt_mins (GConfClient* client, KaApplet* applet)
{
gint prompt_mins = 0;
@@ -140,6 +157,8 @@ ka_gconf_key_changed_callback (GConfClient* client,
ka_gconf_set_show_trayicon (client, applet);
} else if (g_strcmp0 (key, KA_GCONF_KEY_PK_USERID) == 0) {
ka_gconf_set_pk_userid (client, applet);
+ } else if (g_strcmp0 (key, KA_GCONF_KEY_PK_ANCHORS) == 0) {
+ ka_gconf_set_pk_anchors(client, applet);
} else if (g_strcmp0 (key, KA_GCONF_KEY_FORWARDABLE) == 0) {
ka_gconf_set_tgt_forwardable (client, applet);
} else if (g_strcmp0 (key, KA_GCONF_KEY_RENEWABLE) == 0) {
@@ -176,6 +195,7 @@ ka_gconf_init (KaApplet* applet,
ka_gconf_set_prompt_mins (client, applet);
ka_gconf_set_show_trayicon (client, applet);
ka_gconf_set_pk_userid(client, applet);
+ ka_gconf_set_pk_anchors(client, applet);
ka_gconf_set_tgt_forwardable(client, applet);
ka_gconf_set_tgt_renewable(client, applet);
ka_gconf_set_tgt_proxiable(client, applet);
bgstack15