diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/krb5-auth-applet.c | 22 | ||||
-rw-r--r-- | src/krb5-auth-dialog.c | 67 | ||||
-rw-r--r-- | src/krb5-auth-dialog.schemas.in | 17 | ||||
-rw-r--r-- | src/krb5-auth-gconf-tools.h | 1 | ||||
-rw-r--r-- | src/krb5-auth-gconf.c | 22 |
5 files changed, 105 insertions, 24 deletions
diff --git a/src/krb5-auth-applet.c b/src/krb5-auth-applet.c index daaef2e..6e02ed8 100644 --- a/src/krb5-auth-applet.c +++ b/src/krb5-auth-applet.c @@ -41,6 +41,7 @@ enum KA_PROP_0 = 0, KA_PROP_PRINCIPAL, KA_PROP_PK_USERID, + KA_PROP_PK_ANCHORS, KA_PROP_TRAYICON, KA_PROP_PW_PROMPT_MINS, KA_PROP_TGT_FORWARDABLE, @@ -76,6 +77,7 @@ struct _KaAppletPrivate char* principal; /* the principal to request */ gboolean renewable; /* credentials renewable? */ char* pk_userid; /* "userid" for pkint */ + char* pk_anchors; /* trust anchors for pkint */ gboolean tgt_forwardable; /* request a forwardable ticket */ gboolean tgt_renewable; /* request a renewable ticket */ gboolean tgt_proxiable; /* request a proxiable ticket */ @@ -102,6 +104,12 @@ ka_applet_set_property (GObject *object, KA_DEBUG ("%s: %s", pspec->name, self->priv->pk_userid); break; + case KA_PROP_PK_ANCHORS: + g_free (self->priv->pk_anchors); + self->priv->pk_anchors = g_value_dup_string (value); + KA_DEBUG ("%s: %s", pspec->name, self->priv->pk_anchors); + break; + case KA_PROP_TRAYICON: self->priv->show_trayicon = g_value_get_boolean (value); KA_DEBUG ("%s: %s", pspec->name, self->priv->show_trayicon ? "True" : "False"); @@ -152,6 +160,10 @@ ka_applet_get_property (GObject *object, g_value_set_string (value, self->priv->pk_userid); break; + case KA_PROP_PK_ANCHORS: + g_value_set_string (value, self->priv->pk_anchors); + break; + case KA_PROP_TRAYICON: g_value_set_boolean (value, self->priv->show_trayicon); break; @@ -207,6 +219,7 @@ ka_applet_finalize(GObject *object) g_free (applet->priv->principal); g_free (applet->priv->pk_userid); + g_free (applet->priv->pk_anchors); /* no need to free applet->priv */ if (parent_class->finalize != NULL) @@ -252,6 +265,15 @@ ka_applet_class_init(KaAppletClass *klass) KA_PROP_PK_USERID, pspec); + pspec = g_param_spec_string ("pk-anchors", + "PKinit trust anchors", + "Get/Set Pkinit trust anchors", + "", + G_PARAM_CONSTRUCT | G_PARAM_READWRITE); + g_object_class_install_property (object_class, + KA_PROP_PK_ANCHORS, + pspec); + pspec = g_param_spec_boolean("show-trayicon", "Show tray icon", "Show/Hide the tray icon", diff --git a/src/krb5-auth-dialog.c b/src/krb5-auth-dialog.c index c443cd3..32cc016 100644 --- a/src/krb5-auth-dialog.c +++ b/src/krb5-auth-dialog.c @@ -382,14 +382,14 @@ out: * set ticket options by looking at krb5.conf and gconf */ static void -ka_set_ticket_options(KaApplet* applet, - krb5_get_init_creds_opt *out) +ka_set_ticket_options(KaApplet* applet, krb5_context context, + krb5_get_init_creds_opt *out, + const char* pk_userid, const char* pk_anchors) { gboolean flag; - #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_DEFAULT_FLAGS - krb5_get_init_creds_opt_set_default_flags(kcontext, PACKAGE, - krb5_principal_get_realm(kcontext, kprincipal), out); + krb5_get_init_creds_opt_set_default_flags(context, PACKAGE, + krb5_principal_get_realm(context, kprincipal), out); #endif g_object_get(applet, "tgt-forwardable", &flag, NULL); if (flag) @@ -402,6 +402,20 @@ ka_set_ticket_options(KaApplet* applet, krb5_deltat r = 3600*24*30; /* 1 month */ krb5_get_init_creds_opt_set_renew_life (out, r); } + +#if ENABLE_PKINIT && HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PA + /* pkinit optins for MIT Kerberos */ + if (pk_userid && strlen(pk_userid)) { + KA_DEBUG("pkinit with '%s'", pk_userid); + krb5_get_init_creds_opt_set_pa(context, out, + "X509_user_identity", pk_userid); + if (pk_anchors && strlen(pk_anchors)) { + KA_DEBUG("pkinit anchors '%s'", pk_anchors); + krb5_get_init_creds_opt_set_pa(context, out, + "X509_anchors", pk_anchors); + } + } +#endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PA */ } @@ -445,24 +459,29 @@ set_options_from_creds(const KaApplet* applet, } -#ifdef ENABLE_PKINIT +#if ENABLE_PKINIT && HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PKINIT static krb5_error_code -ka_auth_pkinit(KaApplet* applet, krb5_creds* creds, const char* pk_userid) +ka_auth_heimdal_pkinit(KaApplet* applet, krb5_creds* creds, + const char* pk_userid, const char* pk_anchors) { krb5_get_init_creds_opt *opts = NULL; krb5_error_code retval; + const char* pkinit_anchors = NULL; KA_DEBUG("pkinit with '%s'", pk_userid); + if (pk_anchors && strlen (pk_anchors)) { + pkinit_anchors = pk_anchors; + KA_DEBUG("pkinit anchors '%s'", pkinit_anchors); + } - retval = krb5_get_init_creds_opt_alloc (kcontext, &opts); - if (retval) + if ((retval = krb5_get_init_creds_opt_alloc (kcontext, &opts))) goto out; - ka_set_ticket_options (applet, opts); + ka_set_ticket_options (applet, kcontext, opts, NULL, NULL); retval = krb5_get_init_creds_opt_set_pkinit(kcontext, opts, kprincipal, pk_userid, - NULL, /* x509 anchors */ + pkinit_anchors, NULL, NULL, 0, /* pk_use_enc_key */ @@ -484,15 +503,17 @@ out: #endif /* ! ENABLE_PKINIT */ static krb5_error_code -ka_auth_password(KaApplet* applet, krb5_creds* creds) +ka_auth_password(KaApplet* applet, krb5_creds* creds, + const char* pk_userid, const char* pk_anchors) { krb5_error_code retval; krb5_get_init_creds_opt *opts = NULL; - retval = krb5_get_init_creds_opt_alloc (kcontext, &opts); - if (retval) + if ((retval = krb5_get_init_creds_opt_alloc (kcontext, &opts))) goto out; - ka_set_ticket_options (applet, opts); + ka_set_ticket_options (applet, kcontext, opts, + pk_userid, pk_anchors); + retval = krb5_get_init_creds_password(kcontext, creds, kprincipal, NULL, auth_dialog_prompter, applet, 0, NULL, opts); @@ -585,6 +606,7 @@ grab_credentials (KaApplet* applet) krb5_creds my_creds; krb5_ccache ccache; gchar *pk_userid = NULL; + gchar *pk_anchors = NULL; gboolean pw_auth = TRUE; memset(&my_creds, 0, sizeof(my_creds)); @@ -599,18 +621,22 @@ grab_credentials (KaApplet* applet) if (retval) goto out2; - g_object_get(applet, "pk-userid", &pk_userid, NULL); -#ifdef ENABLE_PKINIT + g_object_get(applet, "pk-userid", &pk_userid, + "pk-anchors", &pk_anchors, + NULL); +#if ENABLE_PKINIT && HAVE_HX509_ERR_H && HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PKINIT /* pk_userid set: try pkinit */ if (pk_userid && strlen(pk_userid)) { - retval = ka_auth_pkinit(applet, &my_creds, pk_userid); + retval = ka_auth_heimdal_pkinit(applet, &my_creds, + pk_userid, pk_anchors); /* other error than: "no token found" - no need to try password auth: */ if (retval != HX509_PKCS11_NO_TOKEN && retval != HX509_PKCS11_NO_SLOT) pw_auth = FALSE; } #endif /* ENABLE_PKINIT */ if (pw_auth) - retval = ka_auth_password(applet, &my_creds); + retval = ka_auth_password(applet, &my_creds, + pk_userid, pk_anchors); creds_expiry = my_creds.times.endtime; if (canceled) @@ -621,8 +647,7 @@ grab_credentials (KaApplet* applet) case KRB5KRB_AP_ERR_BAD_INTEGRITY: #ifdef HAVE_HX509_ERR_H case HX509_PKCS11_LOGIN: -#endif - /* Invalid password/pin, try again. */ +#endif /* Invalid password/pin, try again. */ invalid_auth = TRUE; break; default: diff --git a/src/krb5-auth-dialog.schemas.in b/src/krb5-auth-dialog.schemas.in index 13b05b2..4b7adb8 100644 --- a/src/krb5-auth-dialog.schemas.in +++ b/src/krb5-auth-dialog.schemas.in @@ -34,8 +34,21 @@ <default></default> <locale name="C"> - <short>Pkinit identifier</short> - <long>The principal's public/private/certificate identifier when using pkinit</long> + <short>PKINIT identifier</short> + <long>The principal's public/private/certificate identifier when using PKINIT</long> + </locale> + </schema> + + <schema> + <key>/schemas/apps/::PACKAGE::/pk_anchors</key> + <applyto>/apps/::PACKAGE::/pk_anchors</applyto> + <owner>::PACKAGE::</owner> + <type>string</type> + <default></default> + + <locale name="C"> + <short>PKINIT trust anchors</short> + <long>PKINIT CA certificates</long> </locale> </schema> diff --git a/src/krb5-auth-gconf-tools.h b/src/krb5-auth-gconf-tools.h index 9786b2f..9f9020f 100644 --- a/src/krb5-auth-gconf-tools.h +++ b/src/krb5-auth-gconf-tools.h @@ -28,6 +28,7 @@ #define KA_GCONF_PATH "/apps/" PACKAGE #define KA_GCONF_KEY_PRINCIPAL KA_GCONF_PATH "/principal" #define KA_GCONF_KEY_PK_USERID KA_GCONF_PATH "/pk_userid" +#define KA_GCONF_KEY_PK_ANCHORS KA_GCONF_PATH "/pk_anchors" #define KA_GCONF_KEY_PROMPT_MINS KA_GCONF_PATH "/prompt_minutes" #define KA_GCONF_KEY_SHOW_TRAYICON KA_GCONF_PATH "/show_trayicon" #define KA_GCONF_KEY_FORWARDABLE KA_GCONF_PATH "/forwardable" diff --git a/src/krb5-auth-gconf.c b/src/krb5-auth-gconf.c index 25eb555..497b1a7 100644 --- a/src/krb5-auth-gconf.c +++ b/src/krb5-auth-gconf.c @@ -20,6 +20,7 @@ #include "config.h" #include <gconf/gconf-client.h> +#include <string.h> #include "krb5-auth-applet.h" #include "krb5-auth-gconf-tools.h" @@ -30,7 +31,9 @@ ka_gconf_set_principal (GConfClient* client, KaApplet* applet) { gchar* principal = NULL; - if(!ka_gconf_get_string (client, KA_GCONF_KEY_PRINCIPAL, &principal)) { + if(!ka_gconf_get_string (client, KA_GCONF_KEY_PRINCIPAL, &principal) + || !strlen(principal)) { + g_free (principal); principal = g_strdup (g_get_user_name()); } g_object_set(applet, "principal", principal, NULL); @@ -54,6 +57,20 @@ ka_gconf_set_pk_userid (GConfClient* client, KaApplet* applet) static gboolean +ka_gconf_set_pk_anchors (GConfClient* client, KaApplet* applet) +{ + gchar* pk_anchors = NULL; + + if(!ka_gconf_get_string (client, KA_GCONF_KEY_PK_ANCHORS, &pk_anchors)) { + pk_anchors = g_strdup (""); + } + g_object_set(applet, "pk_anchors", pk_anchors, NULL); + g_free (pk_anchors); + return TRUE; +} + + +static gboolean ka_gconf_set_prompt_mins (GConfClient* client, KaApplet* applet) { gint prompt_mins = 0; @@ -140,6 +157,8 @@ ka_gconf_key_changed_callback (GConfClient* client, ka_gconf_set_show_trayicon (client, applet); } else if (g_strcmp0 (key, KA_GCONF_KEY_PK_USERID) == 0) { ka_gconf_set_pk_userid (client, applet); + } else if (g_strcmp0 (key, KA_GCONF_KEY_PK_ANCHORS) == 0) { + ka_gconf_set_pk_anchors(client, applet); } else if (g_strcmp0 (key, KA_GCONF_KEY_FORWARDABLE) == 0) { ka_gconf_set_tgt_forwardable (client, applet); } else if (g_strcmp0 (key, KA_GCONF_KEY_RENEWABLE) == 0) { @@ -176,6 +195,7 @@ ka_gconf_init (KaApplet* applet, ka_gconf_set_prompt_mins (client, applet); ka_gconf_set_show_trayicon (client, applet); ka_gconf_set_pk_userid(client, applet); + ka_gconf_set_pk_anchors(client, applet); ka_gconf_set_tgt_forwardable(client, applet); ka_gconf_set_tgt_renewable(client, applet); ka_gconf_set_tgt_proxiable(client, applet); |