You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
202 lines
9.3 KiB
202 lines
9.3 KiB
From c0a6d66e98e62b94d72bb51b8d6c00130a951215 Mon Sep 17 00:00:00 2001
|
|
From: Julien Rische <jrische@redhat.com>
|
|
Date: Fri, 22 Apr 2022 14:12:37 +0200
|
|
Subject: [PATCH] Add configure variable for default PKCS#11 module
|
|
|
|
[ghudson@mit.edu: added documentation of configure variable and doc
|
|
substitution; shortened commit message]
|
|
|
|
ticket: 9058 (new)
|
|
---
|
|
doc/admin/conf_files/krb5_conf.rst | 2 +-
|
|
doc/build/options2configure.rst | 3 +++
|
|
doc/conf.py | 3 +++
|
|
doc/mitK5defaults.rst | 25 +++++++++++++------------
|
|
src/configure.ac | 8 ++++++++
|
|
src/doc/Makefile.in | 2 ++
|
|
src/man/Makefile.in | 4 +++-
|
|
src/man/krb5.conf.man | 2 +-
|
|
src/plugins/preauth/pkinit/pkinit.h | 1 -
|
|
9 files changed, 34 insertions(+), 16 deletions(-)
|
|
|
|
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
|
|
index 2a4962069f..a33711d918 100644
|
|
--- a/doc/admin/conf_files/krb5_conf.rst
|
|
+++ b/doc/admin/conf_files/krb5_conf.rst
|
|
@@ -1017,7 +1017,7 @@ information for PKINIT is as follows:
|
|
All keyword/values are optional. *modname* specifies the location
|
|
of a library implementing PKCS #11. If a value is encountered
|
|
with no keyword, it is assumed to be the *modname*. If no
|
|
- module-name is specified, the default is ``opensc-pkcs11.so``.
|
|
+ module-name is specified, the default is |pkcs11_modname|.
|
|
``slotid=`` and/or ``token=`` may be specified to force the use of
|
|
a particular smard card reader or token if there is more than one
|
|
available. ``certid=`` and/or ``certlabel=`` may be specified to
|
|
diff --git a/doc/build/options2configure.rst b/doc/build/options2configure.rst
|
|
index 9e355dc2c5..e879b18bd2 100644
|
|
--- a/doc/build/options2configure.rst
|
|
+++ b/doc/build/options2configure.rst
|
|
@@ -137,6 +137,9 @@ Environment variables
|
|
This option allows one to specify libraries to be passed to the
|
|
linker (e.g., ``-l<library>``)
|
|
|
|
+**PKCS11_MODNAME=**\ *library*
|
|
+ Override the built-in default PKCS11 library name.
|
|
+
|
|
**SS_LIB=**\ *libs*...
|
|
If ``-lss`` is not the correct way to link in your installed ss
|
|
library, for example if additional support libraries are needed,
|
|
diff --git a/doc/conf.py b/doc/conf.py
|
|
index 12168fa695..0ab5ff9606 100644
|
|
--- a/doc/conf.py
|
|
+++ b/doc/conf.py
|
|
@@ -242,6 +242,7 @@ if 'mansubs' in tags:
|
|
ccache = '``@CCNAME@``'
|
|
keytab = '``@KTNAME@``'
|
|
ckeytab = '``@CKTNAME@``'
|
|
+ pkcs11_modname = '``@PKCS11MOD@``'
|
|
elif 'pathsubs' in tags:
|
|
# Read configured paths from a file produced by the build system.
|
|
exec(open("paths.py").read())
|
|
@@ -255,6 +256,7 @@ else:
|
|
ccache = ':ref:`DEFCCNAME <paths>`'
|
|
keytab = ':ref:`DEFKTNAME <paths>`'
|
|
ckeytab = ':ref:`DEFCKTNAME <paths>`'
|
|
+ pkcs11_modname = ':ref:`PKCS11_MODNAME <paths>`'
|
|
|
|
rst_epilog = '\n'
|
|
|
|
@@ -275,6 +277,7 @@ else:
|
|
rst_epilog += '.. |ccache| replace:: %s\n' % ccache
|
|
rst_epilog += '.. |keytab| replace:: %s\n' % keytab
|
|
rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab
|
|
+ rst_epilog += '.. |pkcs11_modname| replace:: %s\n' % pkcs11_modname
|
|
rst_epilog += '''
|
|
.. |krb5conf| replace:: ``/etc/krb5.conf``
|
|
.. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``
|
|
diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst
|
|
index 74e69f4ad0..aea7af3dbb 100644
|
|
--- a/doc/mitK5defaults.rst
|
|
+++ b/doc/mitK5defaults.rst
|
|
@@ -59,18 +59,19 @@ subdirectories of ``/usr/local``. When MIT krb5 is integrated into an
|
|
operating system, the paths are generally chosen to match the
|
|
operating system's filesystem layout.
|
|
|
|
-========================== ============= =========================== ===========================
|
|
-Description Symbolic name Custom build path Typical OS path
|
|
-========================== ============= =========================== ===========================
|
|
-User programs BINDIR ``/usr/local/bin`` ``/usr/bin``
|
|
-Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib``
|
|
-Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var``
|
|
-Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run``
|
|
-Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin``
|
|
-Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc``
|
|
-Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}``
|
|
-Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab``
|
|
-========================== ============= =========================== ===========================
|
|
+========================== ============== =========================== ===========================
|
|
+Description Symbolic name Custom build path Typical OS path
|
|
+========================== ============== =========================== ===========================
|
|
+User programs BINDIR ``/usr/local/bin`` ``/usr/bin``
|
|
+Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib``
|
|
+Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var``
|
|
+Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run``
|
|
+Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin``
|
|
+Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc``
|
|
+Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}``
|
|
+Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab``
|
|
+Default PKCS11 module PKCS11_MODNAME ``opensc-pkcs11.so`` ``opensc-pkcs11.so``
|
|
+========================== ============== =========================== ===========================
|
|
|
|
The default client keytab name (DEFCKTNAME) typically defaults to
|
|
``FILE:/usr/local/var/krb5/user/%{euid}/client.keytab`` for a custom
|
|
diff --git a/src/configure.ac b/src/configure.ac
|
|
index 8dc864718d..9774cb71ae 100644
|
|
--- a/src/configure.ac
|
|
+++ b/src/configure.ac
|
|
@@ -1471,6 +1471,14 @@ AC_DEFINE_UNQUOTED(DEFKTNAME, ["$DEFKTNAME"], [Define to default keytab name])
|
|
AC_DEFINE_UNQUOTED(DEFCKTNAME, ["$DEFCKTNAME"],
|
|
[Define to default client keytab name])
|
|
|
|
+AC_ARG_VAR(PKCS11_MODNAME, [Default PKCS11 module name])
|
|
+if test "${PKCS11_MODNAME+set}" != set; then
|
|
+ PKCS11_MODNAME=opensc-pkcs11.so
|
|
+fi
|
|
+AC_MSG_NOTICE([Default PKCS11 module name: $PKCS11_MODNAME])
|
|
+AC_DEFINE_UNQUOTED(PKCS11_MODNAME, ["$PKCS11_MODNAME"],
|
|
+ [Default PKCS11 module name])
|
|
+
|
|
AC_CONFIG_FILES([build-tools/krb5-config], [chmod +x build-tools/krb5-config])
|
|
AC_CONFIG_FILES([build-tools/kadm-server.pc
|
|
build-tools/kadm-client.pc
|
|
diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in
|
|
index 379bc36511..a1b0cff0a4 100644
|
|
--- a/src/doc/Makefile.in
|
|
+++ b/src/doc/Makefile.in
|
|
@@ -10,6 +10,7 @@ sysconfdir=@sysconfdir@
|
|
DEFCCNAME=@DEFCCNAME@
|
|
DEFKTNAME=@DEFKTNAME@
|
|
DEFCKTNAME=@DEFCKTNAME@
|
|
+PKCS11_MODNAME=@PKCS11_MODNAME@
|
|
|
|
RST_SOURCES= _static \
|
|
_templates \
|
|
@@ -118,6 +119,7 @@ paths.py:
|
|
echo 'ccache = "``$(DEFCCNAME)``"' >> $@
|
|
echo 'keytab = "``$(DEFKTNAME)``"' >> $@
|
|
echo 'ckeytab = "``$(DEFCKTNAME)``"' >> $@
|
|
+ echo 'pkcs11_modname = "``$(PKCS11_MODNAME)``"' >> $@
|
|
|
|
# Dummy rule that man/Makefile can invoke
|
|
version.py: $(docsrc)/version.py
|
|
diff --git a/src/man/Makefile.in b/src/man/Makefile.in
|
|
index 00b1b2de06..85cae0914e 100644
|
|
--- a/src/man/Makefile.in
|
|
+++ b/src/man/Makefile.in
|
|
@@ -8,6 +8,7 @@ sysconfdir=@sysconfdir@
|
|
DEFCCNAME=@DEFCCNAME@
|
|
DEFKTNAME=@DEFKTNAME@
|
|
DEFCKTNAME=@DEFCKTNAME@
|
|
+PKCS11_MODNAME=@PKCS11_MODNAME@
|
|
|
|
MANSUBS=k5identity.sub k5login.sub k5srvutil.sub kadm5.acl.sub kadmin.sub \
|
|
kadmind.sub kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub \
|
|
@@ -47,7 +48,8 @@ $(docsrc)/version.py: $(top_srcdir)/patchlevel.h
|
|
-e 's|@SYSCONFDIR@|$(sysconfdir)|g' \
|
|
-e 's|@CCNAME@|$(DEFCCNAME)|g' \
|
|
-e 's|@KTNAME@|$(DEFKTNAME)|g' \
|
|
- -e 's|@CKTNAME@|$(DEFCKTNAME)|g' $? > $@
|
|
+ -e 's|@CKTNAME@|$(DEFCKTNAME)|g' \
|
|
+ -e 's|@PKCS11MOD@|$(PKCS11_MODNAME)|g' $? > $@
|
|
|
|
all: $(MANSUBS)
|
|
|
|
diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man
|
|
index 51acb38815..fd2c6f2bc4 100644
|
|
--- a/src/man/krb5.conf.man
|
|
+++ b/src/man/krb5.conf.man
|
|
@@ -1148,7 +1148,7 @@ user\(aqs certificate and private key.
|
|
All keyword/values are optional. \fImodname\fP specifies the location
|
|
of a library implementing PKCS #11. If a value is encountered
|
|
with no keyword, it is assumed to be the \fImodname\fP\&. If no
|
|
-module\-name is specified, the default is \fBopensc\-pkcs11.so\fP\&.
|
|
+module\-name is specified, the default is \fB@PKCS11MOD@\fP\&.
|
|
\fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of
|
|
a particular smard card reader or token if there is more than one
|
|
available. \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to
|
|
diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
|
|
index 8135535e2c..66f92d8f03 100644
|
|
--- a/src/plugins/preauth/pkinit/pkinit.h
|
|
+++ b/src/plugins/preauth/pkinit/pkinit.h
|
|
@@ -42,7 +42,6 @@
|
|
#ifndef WITHOUT_PKCS11
|
|
#include "pkcs11.h"
|
|
|
|
-#define PKCS11_MODNAME "opensc-pkcs11.so"
|
|
#define PK_SIGLEN_GUESS 1000
|
|
#define PK_NOSLOT 999999
|
|
#endif
|
|
--
|
|
2.38.1
|
|
|