From c0a6d66e98e62b94d72bb51b8d6c00130a951215 Mon Sep 17 00:00:00 2001

From: Julien Rische <jrische@redhat.com>

Date: Fri, 22 Apr 2022 14:12:37 +0200

Subject: [PATCH] Add configure variable for default PKCS#11 module

[ghudson@mit.edu: added documentation of configure variable and doc

substitution; shortened commit message]

ticket: 9058 (new)

---

 doc/admin/conf_files/krb5_conf.rst  |  2 +-

 doc/build/options2configure.rst     |  3 +++

 doc/conf.py                         |  3 +++

 doc/mitK5defaults.rst               | 25 +++++++++++++------------

 src/configure.ac                    |  8 ++++++++

 src/doc/Makefile.in                 |  2 ++

 src/man/Makefile.in                 |  4 +++-

 src/man/krb5.conf.man               |  2 +-

 src/plugins/preauth/pkinit/pkinit.h |  1 -

 9 files changed, 34 insertions(+), 16 deletions(-)

diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst

index 2a4962069f..a33711d918 100644

--- a/doc/admin/conf_files/krb5_conf.rst

+++ b/doc/admin/conf_files/krb5_conf.rst

@@ -1017,7 +1017,7 @@ information for PKINIT is as follows:

     All keyword/values are optional.  *modname* specifies the location

     of a library implementing PKCS #11.  If a value is encountered

     with no keyword, it is assumed to be the *modname*.  If no

-    module-name is specified, the default is ``opensc-pkcs11.so``.

+    module-name is specified, the default is |pkcs11_modname|.

     ``slotid=`` and/or ``token=`` may be specified to force the use of

     a particular smard card reader or token if there is more than one

     available.  ``certid=`` and/or ``certlabel=`` may be specified to

diff --git a/doc/build/options2configure.rst b/doc/build/options2configure.rst

index 9e355dc2c5..e879b18bd2 100644

--- a/doc/build/options2configure.rst

+++ b/doc/build/options2configure.rst

@@ -137,6 +137,9 @@ Environment variables

     This option allows one to specify libraries to be passed to the

     linker (e.g., ``-l<library>``)

+**PKCS11_MODNAME=**\ *library*

+    Override the built-in default PKCS11 library name.

+

 **SS_LIB=**\ *libs*...

     If ``-lss`` is not the correct way to link in your installed ss

     library, for example if additional support libraries are needed,

diff --git a/doc/conf.py b/doc/conf.py

index 12168fa695..0ab5ff9606 100644

--- a/doc/conf.py

+++ b/doc/conf.py

@@ -242,6 +242,7 @@ if 'mansubs' in tags:

     ccache = '``@CCNAME@``'

     keytab = '``@KTNAME@``'

     ckeytab = '``@CKTNAME@``'

+    pkcs11_modname = '``@PKCS11MOD@``'

 elif 'pathsubs' in tags:

     # Read configured paths from a file produced by the build system.

     exec(open("paths.py").read())

@@ -255,6 +256,7 @@ else:

     ccache = ':ref:`DEFCCNAME <paths>`'

     keytab = ':ref:`DEFKTNAME <paths>`'

     ckeytab = ':ref:`DEFCKTNAME <paths>`'

+    pkcs11_modname = ':ref:`PKCS11_MODNAME <paths>`'

 rst_epilog = '\n'

@@ -275,6 +277,7 @@ else:

     rst_epilog += '.. |ccache| replace:: %s\n' % ccache

     rst_epilog += '.. |keytab| replace:: %s\n' % keytab

     rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab

+    rst_epilog += '.. |pkcs11_modname| replace:: %s\n' % pkcs11_modname

     rst_epilog += '''

 .. |krb5conf| replace:: ``/etc/krb5.conf``

 .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal``

diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst

index 74e69f4ad0..aea7af3dbb 100644

--- a/doc/mitK5defaults.rst

+++ b/doc/mitK5defaults.rst

@@ -59,18 +59,19 @@ subdirectories of ``/usr/local``.  When MIT krb5 is integrated into an

 operating system, the paths are generally chosen to match the

 operating system's filesystem layout.

-==========================  =============  ===========================  ===========================

-Description                 Symbolic name  Custom build path            Typical OS path

-==========================  =============  ===========================  ===========================

-User programs               BINDIR         ``/usr/local/bin``           ``/usr/bin``

-Libraries and plugins       LIBDIR         ``/usr/local/lib``           ``/usr/lib``

-Parent of KDC state dir     LOCALSTATEDIR  ``/usr/local/var``           ``/var``

-Parent of KDC runtime dir   RUNSTATEDIR    ``/usr/local/var/run``       ``/run``

-Administrative programs     SBINDIR        ``/usr/local/sbin``          ``/usr/sbin``

-Alternate krb5.conf dir     SYSCONFDIR     ``/usr/local/etc``           ``/etc``

-Default ccache name         DEFCCNAME      ``FILE:/tmp/krb5cc_%{uid}``  ``FILE:/tmp/krb5cc_%{uid}``

-Default keytab name         DEFKTNAME      ``FILE:/etc/krb5.keytab``    ``FILE:/etc/krb5.keytab``

-==========================  =============  ===========================  ===========================

+==========================  ==============  ===========================  ===========================

+Description                 Symbolic name   Custom build path            Typical OS path

+==========================  ==============  ===========================  ===========================

+User programs               BINDIR          ``/usr/local/bin``           ``/usr/bin``

+Libraries and plugins       LIBDIR          ``/usr/local/lib``           ``/usr/lib``

+Parent of KDC state dir     LOCALSTATEDIR   ``/usr/local/var``           ``/var``

+Parent of KDC runtime dir   RUNSTATEDIR     ``/usr/local/var/run``       ``/run``

+Administrative programs     SBINDIR         ``/usr/local/sbin``          ``/usr/sbin``

+Alternate krb5.conf dir     SYSCONFDIR      ``/usr/local/etc``           ``/etc``

+Default ccache name         DEFCCNAME       ``FILE:/tmp/krb5cc_%{uid}``  ``FILE:/tmp/krb5cc_%{uid}``

+Default keytab name         DEFKTNAME       ``FILE:/etc/krb5.keytab``    ``FILE:/etc/krb5.keytab``

+Default PKCS11 module       PKCS11_MODNAME  ``opensc-pkcs11.so``         ``opensc-pkcs11.so``

+==========================  ==============  ===========================  ===========================

 The default client keytab name (DEFCKTNAME) typically defaults to

 ``FILE:/usr/local/var/krb5/user/%{euid}/client.keytab`` for a custom

diff --git a/src/configure.ac b/src/configure.ac

index 8dc864718d..9774cb71ae 100644

--- a/src/configure.ac

+++ b/src/configure.ac

@@ -1471,6 +1471,14 @@ AC_DEFINE_UNQUOTED(DEFKTNAME, ["$DEFKTNAME"], [Define to default keytab name])

 AC_DEFINE_UNQUOTED(DEFCKTNAME, ["$DEFCKTNAME"],

                    [Define to default client keytab name])

+AC_ARG_VAR(PKCS11_MODNAME, [Default PKCS11 module name])

+if test "${PKCS11_MODNAME+set}" != set; then

+	PKCS11_MODNAME=opensc-pkcs11.so

+fi

+AC_MSG_NOTICE([Default PKCS11 module name: $PKCS11_MODNAME])

+AC_DEFINE_UNQUOTED(PKCS11_MODNAME, ["$PKCS11_MODNAME"],

+                   [Default PKCS11 module name])

+

 AC_CONFIG_FILES([build-tools/krb5-config], [chmod +x build-tools/krb5-config])

 AC_CONFIG_FILES([build-tools/kadm-server.pc

 	build-tools/kadm-client.pc

diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in

index 379bc36511..a1b0cff0a4 100644

--- a/src/doc/Makefile.in

+++ b/src/doc/Makefile.in

@@ -10,6 +10,7 @@ sysconfdir=@sysconfdir@

 DEFCCNAME=@DEFCCNAME@

 DEFKTNAME=@DEFKTNAME@

 DEFCKTNAME=@DEFCKTNAME@

+PKCS11_MODNAME=@PKCS11_MODNAME@

 RST_SOURCES= _static \

 	_templates \

@@ -118,6 +119,7 @@ paths.py:

 	echo 'ccache = "``$(DEFCCNAME)``"' >> $@

 	echo 'keytab = "``$(DEFKTNAME)``"' >> $@

 	echo 'ckeytab = "``$(DEFCKTNAME)``"' >> $@

+	echo 'pkcs11_modname = "``$(PKCS11_MODNAME)``"' >> $@

 # Dummy rule that man/Makefile can invoke

 version.py: $(docsrc)/version.py

diff --git a/src/man/Makefile.in b/src/man/Makefile.in

index 00b1b2de06..85cae0914e 100644

--- a/src/man/Makefile.in

+++ b/src/man/Makefile.in

@@ -8,6 +8,7 @@ sysconfdir=@sysconfdir@

 DEFCCNAME=@DEFCCNAME@

 DEFKTNAME=@DEFKTNAME@

 DEFCKTNAME=@DEFCKTNAME@

+PKCS11_MODNAME=@PKCS11_MODNAME@

 MANSUBS=k5identity.sub k5login.sub k5srvutil.sub kadm5.acl.sub kadmin.sub \

 	kadmind.sub kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub \

@@ -47,7 +48,8 @@ $(docsrc)/version.py: $(top_srcdir)/patchlevel.h

 	    -e 's|@SYSCONFDIR@|$(sysconfdir)|g' \

 	    -e 's|@CCNAME@|$(DEFCCNAME)|g' \

 	    -e 's|@KTNAME@|$(DEFKTNAME)|g' \

-	    -e 's|@CKTNAME@|$(DEFCKTNAME)|g' $? > $@

+	    -e 's|@CKTNAME@|$(DEFCKTNAME)|g' \

+	    -e 's|@PKCS11MOD@|$(PKCS11_MODNAME)|g' $? > $@

 all: $(MANSUBS)

diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man

index 51acb38815..fd2c6f2bc4 100644

--- a/src/man/krb5.conf.man

+++ b/src/man/krb5.conf.man

@@ -1148,7 +1148,7 @@ user\(aqs certificate and private key.

 All keyword/values are optional.  \fImodname\fP specifies the location

 of a library implementing PKCS #11.  If a value is encountered

 with no keyword, it is assumed to be the \fImodname\fP\&.  If no

-module\-name is specified, the default is \fBopensc\-pkcs11.so\fP\&.

+module\-name is specified, the default is \fB@PKCS11MOD@\fP\&.

 \fBslotid=\fP and/or \fBtoken=\fP may be specified to force the use of

 a particular smard card reader or token if there is more than one

 available.  \fBcertid=\fP and/or \fBcertlabel=\fP may be specified to

diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h

index 8135535e2c..66f92d8f03 100644

--- a/src/plugins/preauth/pkinit/pkinit.h

+++ b/src/plugins/preauth/pkinit/pkinit.h

@@ -42,7 +42,6 @@

 #ifndef WITHOUT_PKCS11

 #include "pkcs11.h"

-#define PKCS11_MODNAME "opensc-pkcs11.so"

 #define PK_SIGLEN_GUESS 1000

 #define PK_NOSLOT 999999

 #endif

-- 

2.38.1