diff --git a/src/config/pre.in b/src/config/pre.in index 01f102e..060aa89 100644 --- a/src/config/pre.in +++ b/src/config/pre.in @@ -439,6 +439,11 @@ TCL_INCLUDES = @TCL_INCLUDES@ CRYPTO_IMPL = @CRYPTO_IMPL@ PRNG_ALG = @PRNG_ALG@ +# Crypto back-end selection and flags for PKINIT +PKINIT_CRYPTO_IMPL = @PKINIT_CRYPTO_IMPL@ +PKINIT_CRYPTO_IMPL_CFLAGS = @PKINIT_CRYPTO_IMPL_CFLAGS@ +PKINIT_CRYPTO_IMPL_LIBS = @PKINIT_CRYPTO_IMPL_LIBS@ + # error table rules # ### /* these are invoked as $(...) foo.et, which works, but could be better */ diff --git a/src/configure.in b/src/configure.in index 7bb1a6c..3451173 100644 --- a/src/configure.in +++ b/src/configure.in @@ -190,6 +190,48 @@ if test "$PRNG_ALG" = fortuna; then AC_DEFINE(FORTUNA,1,[Define if Fortuna PRNG is selected]) fi +# WITH_PKINIT_CRYPTO_IMPL + +PKINIT_CRYPTO_IMPL="$CRYPTO_IMPL" +AC_ARG_WITH([pkinit-crypto-impl], +AC_HELP_STRING([--with-pkinit-crypto-impl=IMPL], [use specified pkinit crypto implementation @<:@openssl@:>@]), +[PKINIT_CRYPTO_IMPL=$withval +AC_MSG_RESULT("pkinit will use \'$withval\'") +], withval=$PKINIT_CRYPTO_IMPL) +case "$withval" in +builtin|openssl) + AC_CHECK_LIB(crypto, PKCS7_get_signer_info) + PKINIT_CRYPTO_IMPL=openssl + ;; +nss) + if test "${PKINIT_CRYPTO_IMPL_CFLAGS+set}" != set; then + PKINIT_CRYPTO_IMPL_CFLAGS=`pkg-config --cflags nss` + fi + if test "${PKINIT_CRYPTO_IMPL_LIBS+set}" != set; then + PKINIT_CRYPTO_IMPL_LIBS=`pkg-config --libs nss` + fi + AC_DEFINE(PKINIT_CRYPTO_IMPL_NSS,1,[Define if pkinit crypto implementation is NSS]) + save_CFLAGS=$CFLAGS + CFLAGS="$CFLAGS $PKINIT_CRYPTO_IMPL_CFLAGS" + AC_COMPILE_IFELSE([ +#include +#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 12) +#error +#elif NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH < 11 +#error +#endif + ], [], [AC_MSG_ERROR([NSS version 3.12.11 or later required.])]) + CFLAGS=$save_CFLAGS + ;; +*) + AC_MSG_ERROR([Unknown crypto implementation $withval]) + ;; +esac +AC_CONFIG_COMMANDS(PKINIT_CRYPTO_IMPL,,PKINIT_CRYPTO_IMPL=$PKINIT_CRYPTO_IMPL) +AC_SUBST(PKINIT_CRYPTO_IMPL) +AC_SUBST(PKINIT_CRYPTO_IMPL_CFLAGS) +AC_SUBST(PKINIT_CRYPTO_IMPL_LIBS) + # --with-kdc-kdb-update makes the KDC update the database with last request # information and failure information. diff --git a/src/plugins/preauth/pkinit/Makefile.in b/src/plugins/preauth/pkinit/Makefile.in index 40e7d5e..05a6794 100644 --- a/src/plugins/preauth/pkinit/Makefile.in +++ b/src/plugins/preauth/pkinit/Makefile.in @@ -7,7 +7,7 @@ PROG_RPATH=$(KRB5_LIBDIR) MODULE_INSTALL_DIR = $(KRB5_PA_MODULE_DIR) DEFS=@DEFS@ -LOCALINCLUDES = -I../../../include/krb5 -I. +LOCALINCLUDES = -I../../../include/krb5 -I. $(PKINIT_CRYPTO_IMPL_CFLAGS) RUN_SETUP = @KRB5_RUN_ENV@ LIBBASE=pkinit @@ -19,8 +19,8 @@ RELDIR=../plugins/preauth/pkinit SHLIB_EXPDEPS = \ $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ $(TOPLIBD)/libkrb5$(SHLIBEXT) -LIBS+= -lcrypto -SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto $(DL_LIB) $(SUPPORT_LIB) $(LIBS) +SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto $(PKINIT_CRYPTO_IMPL_LIBS) $(DL_LIB) $(SUPPORT_LIB) $(LIBS) +DEFINES=-DPKINIT_DYNOBJEXT=\""$(PKINIT_DYNOBJEXT)"\" SHLIB_DIRS=-L$(TOPLIBD) SHLIB_RDIRS=$(KRB5_LIBDIR) @@ -34,7 +34,7 @@ STLIBOBJS= \ pkinit_profile.o \ pkinit_identity.o \ pkinit_matching.o \ - pkinit_crypto_openssl.o + pkinit_crypto_$(PKINIT_CRYPTO_IMPL).o SRCS= \ $(srcdir)/pkinit_accessor.c \ @@ -46,7 +46,7 @@ SRCS= \ $(srcdir)/pkinit_profile.c \ $(srcdir)/pkinit_identity.c \ $(srcdir)/pkinit_matching.c \ - $(srcdir)/pkinit_crypto_openssl.c + $(srcdir)/pkinit_crypto_$(PKINIT_CRYPTO_IMPL).c all-unix:: all-liblinks install-unix:: install-libs diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h index 2536aee..48e57fe 100644 --- a/src/plugins/preauth/pkinit/pkinit.h +++ b/src/plugins/preauth/pkinit/pkinit.h @@ -35,6 +35,7 @@ #include #include #include +#include #include #include "pkinit_accessor.h" diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h index 28a8f1d..2926b10 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto.h +++ b/src/plugins/preauth/pkinit/pkinit_crypto.h @@ -59,6 +59,9 @@ enum cms_msg_types { #define IDTYPE_PKCS11 3 #define IDTYPE_ENVVAR 4 #define IDTYPE_PKCS12 5 +#ifdef PKINIT_CRYPTO_IMPL_NSS +#define IDTYPE_NSS 6 +#endif /* * ca/crl types diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c index 2527753..39d2a0e 100644 --- a/src/plugins/preauth/pkinit/pkinit_identity.c +++ b/src/plugins/preauth/pkinit/pkinit_identity.c @@ -93,6 +93,9 @@ idtype2string(int idtype) case IDTYPE_PKCS11: return "PKCS11"; break; case IDTYPE_PKCS12: return "PKCS12"; break; case IDTYPE_ENVVAR: return "ENV"; break; +#ifdef PKINIT_CRYPTO_IMPL_NSS + case IDTYPE_NSS: return "NSS"; break; +#endif default: return "INVALID"; break; } } @@ -411,6 +414,10 @@ process_option_identity(krb5_context context, idtype = IDTYPE_DIR; } else if (strncmp(value, "ENV:", typelen) == 0) { idtype = IDTYPE_ENVVAR; +#ifdef PKINIT_CRYPTO_IMPL_NSS + } else if (strncmp(value, "NSS:", typelen) == 0) { + idtype = IDTYPE_NSS; +#endif } else { pkiDebug("%s: Unsupported type while processing '%s'\n", __FUNCTION__, value); @@ -447,6 +454,13 @@ process_option_identity(krb5_context context, if (idopts->cert_filename == NULL) retval = ENOMEM; break; +#ifdef PKINIT_CRYPTO_IMPL_NSS + case IDTYPE_NSS: + idopts->cert_filename = strdup(residual); + if (idopts->cert_filename == NULL) + retval = ENOMEM; + break; +#endif default: krb5_set_error_message(context, KRB5_PREAUTH_FAILED, _("Internal error parsing " @@ -483,6 +497,10 @@ process_option_ca_crl(krb5_context context, idtype = IDTYPE_FILE; } else if (strncmp(value, "DIR:", typelen) == 0) { idtype = IDTYPE_DIR; +#ifdef PKINIT_CRYPTO_IMPL_NSS + } else if (strncmp(value, "NSS:", typelen) == 0) { + idtype = IDTYPE_NSS; +#endif } else { return ENOTSUP; }