From d6eee4e647348875912d9c6853a8de0a7d6069ad Mon Sep 17 00:00:00 2001 From: Guido Günther Date: Sat, 18 Apr 2009 00:24:56 +0200 Subject: Imported Upstream version 0.9~rc1 --- AUTHORS | 1 + ChangeLog | 67 ++++++++++++++++++----- configure.ac | 27 +++++----- krb5-auth-dialog.doap | 17 ++++++ preferences/krb5-auth-dialog-preferences.c | 74 +++++++++++++++++++++++++- preferences/krb5-auth-dialog-preferences.glade | 49 ++++++++++++++++- src/krb5-auth-applet.c | 22 ++++++++ src/krb5-auth-dialog.c | 67 +++++++++++++++-------- src/krb5-auth-dialog.schemas.in | 17 +++++- src/krb5-auth-gconf-tools.h | 1 + src/krb5-auth-gconf.c | 22 +++++++- 11 files changed, 311 insertions(+), 53 deletions(-) create mode 100644 krb5-auth-dialog.doap diff --git a/AUTHORS b/AUTHORS index 031f294..695d287 100644 --- a/AUTHORS +++ b/AUTHORS @@ -1,3 +1,4 @@ Christopher Aillon Jonathan Blandford +Colin Walters Guido Günther diff --git a/ChangeLog b/ChangeLog index e253814..3a03eae 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,45 @@ -Sa Apr 4 11:15:39 CEST 2009 Guido Günther +Sat Apr 18 00:19:02 CEST 2009 Guido Günther + + * src/krb5-auth-gconf.c (ka_gconf_set_principal): handle length zero + KA_GCONF_KEY_PRINCIPAL + +Fri Apr 17 13:36:00 CEST 2009 Guido Günther + + * preferences/krb5-auth-dialog-preferences.glade: mark GtkEntrys + activates_default and close button as has_default. + +Fri Apr 17 13:20:09 CEST 2009 Guido Günther + + make pkinit anchors configurable and pass pkinit options to + krb5_get_init_creds_opt_set_pa (MIT pkinit), if available. + * configure.ac: check for krb5_get_init_creds_opt_set_pa + * preferences/krb5-auth-dialog-preferences.c + (ka_preferences_pkanchors_notify, + ka_preferences_dialog_pkanchors_changed, + ka_preferences_dialog_setup_pkanchors_entry): new functions + (ka_preferences_dialog_init: call + ka_preferences_dialog_setup_pkanchors_entry to handle pk_anchors + * preferences/krb5-auth-dialog-preferences.glade: add pkanchors_entry + GtkEntry + * src/krb5-auth-applet.c (ka_applet-{set,get}_property, + ka_applet_class_init): handle pk-anchors property + * src/krb5-auth-dialog.c (ka_set_ticket_options): pass pkinit userid + and anchors to krb5_get_init_creds_opt_set_pa if available. + (ka_auth_pkinit): rename to ka_auth_heimdal_pkinit + (ka_auth_heimdal_pkinit): pass pk_anchors + (grab_credentials): fetch pk_anchors from pk-anchors property and + pass it to ka_auth_{password,heimdal_pkinit} + * src/krb5-auth-gconf.c (ka_gconf_set_pk_anchors): new function + (ka_gconf_key_changed_callback): handle pk_anchors + (ka_gconf_init); likewise + * src/krb5-auth-gconf-tools.h: add pk_anchors + * src/krb5-auth-dialog.schemas.in: add pk_anchors + +Fri Apr 17 13:19:18 CEST 2009 Guido Günther + + * AUTHORS: add Colin + +Sat Apr 4 11:15:39 CEST 2009 Guido Günther GtkSecureEntry warning fixes: * gtksecentry/gtksecentry.c (gtk_secure_entry_state_changed: drop @@ -21,7 +62,7 @@ Sa Apr 4 11:15:39 CEST 2009 Guido Günther (gtk_secure_entry_layout_index_to_text_index): likewise (gtk_secure_entry_text_index_to_layout_index): likewise -Sa Apr 4 11:06:45 CEST 2009 Guido Günther +Sat Apr 4 11:06:45 CEST 2009 Guido Günther add preferences capplet * preferences/{krb5-auth-dialog-preferences.{c,glade,desktop.in}, @@ -32,7 +73,7 @@ Sa Apr 4 11:06:45 CEST 2009 Guido Günther preferences (ka_applet_create_context_menu): add preferences context menu entry -Sa Apr 4 10:57:23 CEST 2009 Guido Günther +Sat Apr 4 10:57:23 CEST 2009 Guido Günther allow to set ticket proxiable, renewable and forwardable ticket flags via gconf @@ -47,7 +88,7 @@ Sa Apr 4 10:57:23 CEST 2009 Guido Günther boolean gconf keys * src/krb5-auth-dialog.schemas.in: add new gconf keys to schema -Sa Apr 4 10:52:53 CEST 2009 Guido Günther +Sat Apr 4 10:52:53 CEST 2009 Guido Günther split out gconf tool functions * src/krb5-auth-gconf-tools.h: new file @@ -56,13 +97,13 @@ Sa Apr 4 10:52:53 CEST 2009 Guido Günther src/krb5-auth-gconf-tools.c (KA_GCONF_*): move to src/krb5-auth-gconf-tools.h -Sa Mär 28 14:17:49 CET 2009 Guido Günther +Sat Mär 28 14:17:49 CET 2009 Guido Günther add dbus service file * src/org.gnome.KrbAuthDialog.service.in: new file * src/Makefile.am (service_DATA): process annd install service file -Di Mär 24 00:04:50 CET 2009 Guido Günther +Tue Mär 24 00:04:50 CET 2009 Guido Günther monitor ccache via GFileMontor * src/krb5-auth-dialog.c (monitor_ccache, ka_ccache_filename, @@ -70,7 +111,7 @@ Di Mär 24 00:04:50 CET 2009 Guido Günther (main): monitor ccache via monitor_ccache * configure.ac: look for gio-unix -Di Mär 24 00:01:28 CET 2009 Guido Günther +Tue Mär 24 00:01:28 CET 2009 Guido Günther * src/krb5-auth-dialog.c (auth_dialog_prompter): handle GTK_RESPONSE_DELETE_EVENT like GTK_RESPONSE_CANCEL so pressing ESC or @@ -79,34 +120,34 @@ Di Mär 24 00:01:28 CET 2009 Guido Günther kerberos error codes - more robust since heimdal and mit have different responses, let alone pkinit. -Mo Mär 23 23:57:36 CET 2009 Guido Günther +Mon Mär 23 23:57:36 CET 2009 Guido Günther split password auth into a separate function * src/krb5-auth-dialog.c (ka_auth_password): new function (grab_credentials): fall back to password auth if no token is present and pkinit is enabled -Mo Mär 23 23:55:20 CET 2009 Guido Günther +Mon Mär 23 23:55:20 CET 2009 Guido Günther * src/krb5-auth-pwdialog.h: remove unused headers * src/krb5-auth-applet.h: likewise * src/krb5-auth-dialog.c (is_online): move static variable to the top -Mi Mär 11 17:21:07 CET 2009 Guido Günther +Wed Mär 11 17:21:07 CET 2009 Guido Günther silence compiler warnings * src/krb5-auth-{applet,dialog,gconf,pwdialog}.[ch]: mark unused parameters as G_GNUC_UNUSED or drop them, add missing void to prototypes -Mi Mär 11 17:19:02 CET 2009 Guido Günther +Mon Mär 11 17:19:02 CET 2009 Guido Günther add more compiler warnings * acinclude.m4: add KA_COMPILE_WARNINGS * compiler-flags.m4: add gl_COMPILER_FLAGS to test compiler options * configure.ac: call KA_COMPILE_WARNINGS and add WARN_CFLAGS to CFLAGS -Mi Mär 11 17:10:11 CET 2009 Guido Günther +Wed Mär 11 17:10:11 CET 2009 Guido Günther push the dialog into the foreground and grab the keyboard so we make sure the user gets to see the dialog in all cases (e.g. when an app is @@ -117,7 +158,7 @@ Mi Mär 11 17:10:11 CET 2009 Guido Günther window_state_changed): new functions (ka_pwdialog_run): use these -Mi Mär 11 17:04:03 CET 2009 Guido Günther +Wed Mär 11 17:04:03 CET 2009 Guido Günther add a pwdialog gobject - remove lots of duplicate code and splits most of the password dialog handling into its own file diff --git a/configure.ac b/configure.ac index be95999..3b9c983 100644 --- a/configure.ac +++ b/configure.ac @@ -65,10 +65,13 @@ AC_CHECK_MEMBERS(krb5_creds.flags.b.forwardable,,,[#include ]) AC_CHECK_MEMBERS(krb5_creds.flags.b.renewable,,,[#include ]) AC_CHECK_MEMBERS(krb5_creds.flags.b.proxiable,,,[#include ]) AC_CHECK_MEMBERS(krb5_creds.flags,,,[#include ]) -AC_CHECK_FUNCS([krb5_get_error_message]) -AC_CHECK_FUNCS([krb5_get_renewed_creds]) -AC_CHECK_FUNCS([krb5_get_init_creds_opt_set_default_flags]) -AC_CHECK_FUNCS([krb5_cc_clear_mcred]) +AC_CHECK_FUNCS([krb5_get_error_message krb5_get_renewed_creds \ + krb5_get_init_creds_opt_set_default_flags \ + krb5_cc_clear_mcred]) +AC_CHECK_FUNCS([krb5_get_init_creds_opt_set_pkinit], + [heimdal_pkinit=yes],[heimdal_pkinit=no]) +AC_CHECK_FUNCS([krb5_get_init_creds_opt_set_pa], + [mit_pkinit=yes],[mit_pkinit=no]) AC_MSG_CHECKING(if a krb5_principal->realm is a char*) AC_COMPILE_IFELSE([ $ac_includes_default @@ -95,29 +98,25 @@ main(int argc, char **argv) foo->realm = bar; return 0; }],[AC_DEFINE(HAVE_KRB5_PRINCIPAL_REALM_AS_DATA,1,[Define if the realm of a krb5_principal is a krb5_data]) -AC_MSG_RESULT(yes)], -AC_MSG_RESULT(no)) +AC_MSG_RESULT(yes)], AC_MSG_RESULT(no)) + dnl pkinit AC_MSG_CHECKING([whether to enable pkinit support]) AC_ARG_ENABLE([pkinit], AS_HELP_STRING([--enable-pkinit],[whether to enable preauth via pkinit support]), [],[enable_pkinit=autodetect]) -AC_MSG_RESULT([$enable_pkinit]) -if test "x$enable_pkinit" != "xno"; then - AC_CHECK_FUNCS([krb5_get_init_creds_opt_set_pkinit], - [enable_pkinit=yes],[enable_pkinit=no]) -fi - -if test "x$enable_pkinit" = "xyes"; then +if test "x$heimdal_pkinit" = "xyes" -o \ + "x$mit_pkinit" = "xyes"; then + enable_pkinit=yes AC_DEFINE([ENABLE_PKINIT],[1],[Define for pkinit support]) fi +AC_MSG_RESULT([$enable_pkinit]) AM_CONDITIONAL([ENABLE_PKINIT],[test "x$enable_pkinit" = "xyes"]) CFLAGS="$savedCFLAGS" LIBS="$savedLIBS" - dnl NetworkManager AC_MSG_CHECKING([whether to enable NetworkManager support]) AC_ARG_ENABLE([network-manager], diff --git a/krb5-auth-dialog.doap b/krb5-auth-dialog.doap new file mode 100644 index 0000000..af2d09c --- /dev/null +++ b/krb5-auth-dialog.doap @@ -0,0 +1,17 @@ + + krb5-auth-dialog + Tray applet to acquire, monitor and refresh Kerberos tickets + + + + Guido Günther + + guidog + + + + diff --git a/preferences/krb5-auth-dialog-preferences.c b/preferences/krb5-auth-dialog-preferences.c index caf9ed9..ab463a0 100644 --- a/preferences/krb5-auth-dialog-preferences.c +++ b/preferences/krb5-auth-dialog-preferences.c @@ -36,7 +36,7 @@ #include "krb5-auth-gconf-tools.h" -#define N_LISTENERS 7 +#define N_LISTENERS 8 typedef struct { GladeXML *xml; @@ -45,6 +45,7 @@ typedef struct { GtkWidget *dialog; GtkWidget *principal_entry; GtkWidget *pkuserid_entry; + GtkWidget *pkanchors_entry; GtkWidget *forwardable_toggle; GtkWidget *proxiable_toggle; GtkWidget *renewable_toggle; @@ -197,6 +198,76 @@ ka_preferences_dialog_setup_pkuserid_entry (KaPreferencesDialog *dialog) } +static void +ka_preferences_pkanchors_notify (GConfClient *client G_GNUC_UNUSED, + guint cnx_id G_GNUC_UNUSED, + GConfEntry *entry, + KaPreferencesDialog *dialog) +{ + const char *pkanchors; + + if (!entry->value || entry->value->type != GCONF_VALUE_STRING) + return; + + pkanchors = gconf_value_get_string (entry->value); + + if (!pkanchors || !strlen(pkanchors)) + gtk_entry_set_text (GTK_ENTRY (dialog->pkanchors_entry), ""); + else { + const char *old_pkanchors; + + old_pkanchors = gtk_entry_get_text (GTK_ENTRY (dialog->pkanchors_entry)); + if (!old_pkanchors || (old_pkanchors && strcmp (old_pkanchors, pkanchors))) + gtk_entry_set_text (GTK_ENTRY (dialog->pkanchors_entry), pkanchors); + } +} + + +static void +ka_preferences_dialog_pkanchors_changed (GtkEntry *entry, + KaPreferencesDialog *dialog) +{ + const char *pkanchors; + + pkanchors = gtk_entry_get_text (entry); + + if (!pkanchors || !strlen(pkanchors)) + gconf_client_unset (dialog->client, KA_GCONF_KEY_PK_ANCHORS, NULL); + else + gconf_client_set_string (dialog->client, KA_GCONF_KEY_PK_ANCHORS, pkanchors, NULL); +} + + +static void +ka_preferences_dialog_setup_pkanchors_entry (KaPreferencesDialog *dialog) +{ + char *pkanchors = NULL; + + dialog->pkanchors_entry = glade_xml_get_widget (dialog->xml, "pkanchors_entry"); + g_assert (dialog->pkanchors_entry != NULL); + + if (!ka_gconf_get_string (dialog->client, KA_GCONF_KEY_PK_ANCHORS, &pkanchors)) + g_warning ("Getting pkanchors failed"); + + if (pkanchors && strlen(pkanchors)) + gtk_entry_set_text (GTK_ENTRY (dialog->pkanchors_entry), pkanchors); + if (pkanchors) + g_free (pkanchors); + + g_signal_connect (dialog->pkanchors_entry, "changed", + G_CALLBACK (ka_preferences_dialog_pkanchors_changed), dialog); + if (!gconf_client_key_is_writable (dialog->client, KA_GCONF_KEY_PK_ANCHORS, NULL)) { + gtk_widget_set_sensitive (dialog->pkanchors_entry, FALSE); + } + + dialog->listeners [dialog->n_listeners] = gconf_client_notify_add (dialog->client, + KA_GCONF_KEY_PK_ANCHORS, + (GConfClientNotifyFunc) ka_preferences_pkanchors_notify, + dialog, NULL, NULL); + dialog->n_listeners++; +} + + static void ka_preferences_dialog_forwardable_toggled (GtkToggleButton *toggle, KaPreferencesDialog *dialog) @@ -552,6 +623,7 @@ ka_preferences_dialog_init(KaPreferencesDialog* dialog) ka_preferences_dialog_setup_principal_entry (dialog); ka_preferences_dialog_setup_pkuserid_entry (dialog); + ka_preferences_dialog_setup_pkanchors_entry(dialog); ka_preferences_dialog_setup_forwardable_toggle (dialog); ka_preferences_dialog_setup_proxiable_toggle (dialog); ka_preferences_dialog_setup_renewable_toggle (dialog); diff --git a/preferences/krb5-auth-dialog-preferences.glade b/preferences/krb5-auth-dialog-preferences.glade index b4e5cd5..8e23b2f 100644 --- a/preferences/krb5-auth-dialog-preferences.glade +++ b/preferences/krb5-auth-dialog-preferences.glade @@ -1,6 +1,6 @@ - + 5 @@ -87,6 +87,7 @@ True True + True 1 @@ -128,6 +129,7 @@ True True The principal's public/private/certificate identifier. Leave empty if not using PKINIT. + True 1 @@ -138,6 +140,48 @@ 3 + + + True + 0 + PKINT anchors: + + + False + False + 4 + + + + + True + 6 + + + True + + + + False + False + + + + + True + True + Path to CA certificates used as trust anchors for PKINIT + True + + + 1 + + + + + 5 + + 1 @@ -392,6 +436,7 @@ True True Send notification about ticket expiry that many minutes before it finally expires. + True 0 0 100 1 10 10 @@ -552,6 +597,8 @@ True True + True + True True gtk-close True diff --git a/src/krb5-auth-applet.c b/src/krb5-auth-applet.c index daaef2e..6e02ed8 100644 --- a/src/krb5-auth-applet.c +++ b/src/krb5-auth-applet.c @@ -41,6 +41,7 @@ enum KA_PROP_0 = 0, KA_PROP_PRINCIPAL, KA_PROP_PK_USERID, + KA_PROP_PK_ANCHORS, KA_PROP_TRAYICON, KA_PROP_PW_PROMPT_MINS, KA_PROP_TGT_FORWARDABLE, @@ -76,6 +77,7 @@ struct _KaAppletPrivate char* principal; /* the principal to request */ gboolean renewable; /* credentials renewable? */ char* pk_userid; /* "userid" for pkint */ + char* pk_anchors; /* trust anchors for pkint */ gboolean tgt_forwardable; /* request a forwardable ticket */ gboolean tgt_renewable; /* request a renewable ticket */ gboolean tgt_proxiable; /* request a proxiable ticket */ @@ -102,6 +104,12 @@ ka_applet_set_property (GObject *object, KA_DEBUG ("%s: %s", pspec->name, self->priv->pk_userid); break; + case KA_PROP_PK_ANCHORS: + g_free (self->priv->pk_anchors); + self->priv->pk_anchors = g_value_dup_string (value); + KA_DEBUG ("%s: %s", pspec->name, self->priv->pk_anchors); + break; + case KA_PROP_TRAYICON: self->priv->show_trayicon = g_value_get_boolean (value); KA_DEBUG ("%s: %s", pspec->name, self->priv->show_trayicon ? "True" : "False"); @@ -152,6 +160,10 @@ ka_applet_get_property (GObject *object, g_value_set_string (value, self->priv->pk_userid); break; + case KA_PROP_PK_ANCHORS: + g_value_set_string (value, self->priv->pk_anchors); + break; + case KA_PROP_TRAYICON: g_value_set_boolean (value, self->priv->show_trayicon); break; @@ -207,6 +219,7 @@ ka_applet_finalize(GObject *object) g_free (applet->priv->principal); g_free (applet->priv->pk_userid); + g_free (applet->priv->pk_anchors); /* no need to free applet->priv */ if (parent_class->finalize != NULL) @@ -252,6 +265,15 @@ ka_applet_class_init(KaAppletClass *klass) KA_PROP_PK_USERID, pspec); + pspec = g_param_spec_string ("pk-anchors", + "PKinit trust anchors", + "Get/Set Pkinit trust anchors", + "", + G_PARAM_CONSTRUCT | G_PARAM_READWRITE); + g_object_class_install_property (object_class, + KA_PROP_PK_ANCHORS, + pspec); + pspec = g_param_spec_boolean("show-trayicon", "Show tray icon", "Show/Hide the tray icon", diff --git a/src/krb5-auth-dialog.c b/src/krb5-auth-dialog.c index c443cd3..32cc016 100644 --- a/src/krb5-auth-dialog.c +++ b/src/krb5-auth-dialog.c @@ -382,14 +382,14 @@ out: * set ticket options by looking at krb5.conf and gconf */ static void -ka_set_ticket_options(KaApplet* applet, - krb5_get_init_creds_opt *out) +ka_set_ticket_options(KaApplet* applet, krb5_context context, + krb5_get_init_creds_opt *out, + const char* pk_userid, const char* pk_anchors) { gboolean flag; - #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_DEFAULT_FLAGS - krb5_get_init_creds_opt_set_default_flags(kcontext, PACKAGE, - krb5_principal_get_realm(kcontext, kprincipal), out); + krb5_get_init_creds_opt_set_default_flags(context, PACKAGE, + krb5_principal_get_realm(context, kprincipal), out); #endif g_object_get(applet, "tgt-forwardable", &flag, NULL); if (flag) @@ -402,6 +402,20 @@ ka_set_ticket_options(KaApplet* applet, krb5_deltat r = 3600*24*30; /* 1 month */ krb5_get_init_creds_opt_set_renew_life (out, r); } + +#if ENABLE_PKINIT && HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PA + /* pkinit optins for MIT Kerberos */ + if (pk_userid && strlen(pk_userid)) { + KA_DEBUG("pkinit with '%s'", pk_userid); + krb5_get_init_creds_opt_set_pa(context, out, + "X509_user_identity", pk_userid); + if (pk_anchors && strlen(pk_anchors)) { + KA_DEBUG("pkinit anchors '%s'", pk_anchors); + krb5_get_init_creds_opt_set_pa(context, out, + "X509_anchors", pk_anchors); + } + } +#endif /* HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PA */ } @@ -445,24 +459,29 @@ set_options_from_creds(const KaApplet* applet, } -#ifdef ENABLE_PKINIT +#if ENABLE_PKINIT && HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PKINIT static krb5_error_code -ka_auth_pkinit(KaApplet* applet, krb5_creds* creds, const char* pk_userid) +ka_auth_heimdal_pkinit(KaApplet* applet, krb5_creds* creds, + const char* pk_userid, const char* pk_anchors) { krb5_get_init_creds_opt *opts = NULL; krb5_error_code retval; + const char* pkinit_anchors = NULL; KA_DEBUG("pkinit with '%s'", pk_userid); + if (pk_anchors && strlen (pk_anchors)) { + pkinit_anchors = pk_anchors; + KA_DEBUG("pkinit anchors '%s'", pkinit_anchors); + } - retval = krb5_get_init_creds_opt_alloc (kcontext, &opts); - if (retval) + if ((retval = krb5_get_init_creds_opt_alloc (kcontext, &opts))) goto out; - ka_set_ticket_options (applet, opts); + ka_set_ticket_options (applet, kcontext, opts, NULL, NULL); retval = krb5_get_init_creds_opt_set_pkinit(kcontext, opts, kprincipal, pk_userid, - NULL, /* x509 anchors */ + pkinit_anchors, NULL, NULL, 0, /* pk_use_enc_key */ @@ -484,15 +503,17 @@ out: #endif /* ! ENABLE_PKINIT */ static krb5_error_code -ka_auth_password(KaApplet* applet, krb5_creds* creds) +ka_auth_password(KaApplet* applet, krb5_creds* creds, + const char* pk_userid, const char* pk_anchors) { krb5_error_code retval; krb5_get_init_creds_opt *opts = NULL; - retval = krb5_get_init_creds_opt_alloc (kcontext, &opts); - if (retval) + if ((retval = krb5_get_init_creds_opt_alloc (kcontext, &opts))) goto out; - ka_set_ticket_options (applet, opts); + ka_set_ticket_options (applet, kcontext, opts, + pk_userid, pk_anchors); + retval = krb5_get_init_creds_password(kcontext, creds, kprincipal, NULL, auth_dialog_prompter, applet, 0, NULL, opts); @@ -585,6 +606,7 @@ grab_credentials (KaApplet* applet) krb5_creds my_creds; krb5_ccache ccache; gchar *pk_userid = NULL; + gchar *pk_anchors = NULL; gboolean pw_auth = TRUE; memset(&my_creds, 0, sizeof(my_creds)); @@ -599,18 +621,22 @@ grab_credentials (KaApplet* applet) if (retval) goto out2; - g_object_get(applet, "pk-userid", &pk_userid, NULL); -#ifdef ENABLE_PKINIT + g_object_get(applet, "pk-userid", &pk_userid, + "pk-anchors", &pk_anchors, + NULL); +#if ENABLE_PKINIT && HAVE_HX509_ERR_H && HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PKINIT /* pk_userid set: try pkinit */ if (pk_userid && strlen(pk_userid)) { - retval = ka_auth_pkinit(applet, &my_creds, pk_userid); + retval = ka_auth_heimdal_pkinit(applet, &my_creds, + pk_userid, pk_anchors); /* other error than: "no token found" - no need to try password auth: */ if (retval != HX509_PKCS11_NO_TOKEN && retval != HX509_PKCS11_NO_SLOT) pw_auth = FALSE; } #endif /* ENABLE_PKINIT */ if (pw_auth) - retval = ka_auth_password(applet, &my_creds); + retval = ka_auth_password(applet, &my_creds, + pk_userid, pk_anchors); creds_expiry = my_creds.times.endtime; if (canceled) @@ -621,8 +647,7 @@ grab_credentials (KaApplet* applet) case KRB5KRB_AP_ERR_BAD_INTEGRITY: #ifdef HAVE_HX509_ERR_H case HX509_PKCS11_LOGIN: -#endif - /* Invalid password/pin, try again. */ +#endif /* Invalid password/pin, try again. */ invalid_auth = TRUE; break; default: diff --git a/src/krb5-auth-dialog.schemas.in b/src/krb5-auth-dialog.schemas.in index 13b05b2..4b7adb8 100644 --- a/src/krb5-auth-dialog.schemas.in +++ b/src/krb5-auth-dialog.schemas.in @@ -34,8 +34,21 @@ - Pkinit identifier - The principal's public/private/certificate identifier when using pkinit + PKINIT identifier + The principal's public/private/certificate identifier when using PKINIT + + + + + /schemas/apps/::PACKAGE::/pk_anchors + /apps/::PACKAGE::/pk_anchors + ::PACKAGE:: + string + + + + PKINIT trust anchors + PKINIT CA certificates diff --git a/src/krb5-auth-gconf-tools.h b/src/krb5-auth-gconf-tools.h index 9786b2f..9f9020f 100644 --- a/src/krb5-auth-gconf-tools.h +++ b/src/krb5-auth-gconf-tools.h @@ -28,6 +28,7 @@ #define KA_GCONF_PATH "/apps/" PACKAGE #define KA_GCONF_KEY_PRINCIPAL KA_GCONF_PATH "/principal" #define KA_GCONF_KEY_PK_USERID KA_GCONF_PATH "/pk_userid" +#define KA_GCONF_KEY_PK_ANCHORS KA_GCONF_PATH "/pk_anchors" #define KA_GCONF_KEY_PROMPT_MINS KA_GCONF_PATH "/prompt_minutes" #define KA_GCONF_KEY_SHOW_TRAYICON KA_GCONF_PATH "/show_trayicon" #define KA_GCONF_KEY_FORWARDABLE KA_GCONF_PATH "/forwardable" diff --git a/src/krb5-auth-gconf.c b/src/krb5-auth-gconf.c index 25eb555..497b1a7 100644 --- a/src/krb5-auth-gconf.c +++ b/src/krb5-auth-gconf.c @@ -20,6 +20,7 @@ #include "config.h" #include +#include #include "krb5-auth-applet.h" #include "krb5-auth-gconf-tools.h" @@ -30,7 +31,9 @@ ka_gconf_set_principal (GConfClient* client, KaApplet* applet) { gchar* principal = NULL; - if(!ka_gconf_get_string (client, KA_GCONF_KEY_PRINCIPAL, &principal)) { + if(!ka_gconf_get_string (client, KA_GCONF_KEY_PRINCIPAL, &principal) + || !strlen(principal)) { + g_free (principal); principal = g_strdup (g_get_user_name()); } g_object_set(applet, "principal", principal, NULL); @@ -53,6 +56,20 @@ ka_gconf_set_pk_userid (GConfClient* client, KaApplet* applet) } +static gboolean +ka_gconf_set_pk_anchors (GConfClient* client, KaApplet* applet) +{ + gchar* pk_anchors = NULL; + + if(!ka_gconf_get_string (client, KA_GCONF_KEY_PK_ANCHORS, &pk_anchors)) { + pk_anchors = g_strdup (""); + } + g_object_set(applet, "pk_anchors", pk_anchors, NULL); + g_free (pk_anchors); + return TRUE; +} + + static gboolean ka_gconf_set_prompt_mins (GConfClient* client, KaApplet* applet) { @@ -140,6 +157,8 @@ ka_gconf_key_changed_callback (GConfClient* client, ka_gconf_set_show_trayicon (client, applet); } else if (g_strcmp0 (key, KA_GCONF_KEY_PK_USERID) == 0) { ka_gconf_set_pk_userid (client, applet); + } else if (g_strcmp0 (key, KA_GCONF_KEY_PK_ANCHORS) == 0) { + ka_gconf_set_pk_anchors(client, applet); } else if (g_strcmp0 (key, KA_GCONF_KEY_FORWARDABLE) == 0) { ka_gconf_set_tgt_forwardable (client, applet); } else if (g_strcmp0 (key, KA_GCONF_KEY_RENEWABLE) == 0) { @@ -176,6 +195,7 @@ ka_gconf_init (KaApplet* applet, ka_gconf_set_prompt_mins (client, applet); ka_gconf_set_show_trayicon (client, applet); ka_gconf_set_pk_userid(client, applet); + ka_gconf_set_pk_anchors(client, applet); ka_gconf_set_tgt_forwardable(client, applet); ka_gconf_set_tgt_renewable(client, applet); ka_gconf_set_tgt_proxiable(client, applet); -- cgit