[20176] in Kerberos_V5_Development
Re: Building the PKINIT plugin on Windows
daemon@ATHENA.MIT.EDU (Ken Hornstein)
Fri Oct 9 11:40:24 2020
Message-ID: <202010091539.099FdWLH028459@hedwig.cmf.nrl.navy.mil>
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
To: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <91826846-fb09-2c0a-0b09-fe8818495d43@mit.edu>
MIME-Version: 1.0
Date: Fri, 09 Oct 2020 11:39:31 -0400
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
>When I last looked into this, the OpenSSL dependency seemed to be the
>trickiest part. I didn't have any luck finding examples on github that
>didn't check OpenSSL binaries into the repository. So insight from
>Windows developers on this point would be the most useful from my
>perspective. That would also pave the way for k5tls (for MS-KKDCP
>support) and, less importantly, SPAKE support for the NIST curves.
I guess I'm wondering exactly what kind of infrastructure you want
in the Windows build process; do you want to have it build OpenSSL
as well, or simply point to already-built OpenSSL libraries? It looks
like all our Windows build system does is run "perl Configure VC-WIN64A"
and then just uses nmake (there may be more steps involved, I'm not
an expert on the Windows build process we use, but those look like the
key ones).
>> - The use of dlopen()/dlsym to load a PKCS#11 library
>
>krb5int_open_plugin() and krb5int_get_plugin_sym() from libkrb5support
>should be helpful here.
I had looked at that, but my reading is that krb5int_get_plugin_sym()
is not currently exported. Oh, I guess you mean krb5int_get_plugin_func().
>> - The lack of regcomp()/regex() on Windows
>
>It doesn't look like we have an existing facility to help here; we use
>regexps in the aname-to-localname part of libkrb5, but appear to just
>compile out that code on Windows. gnulib isn't an ideal dependency for
>us for licensing reasons.
Fair enough; I'll see if I can dig up some replacement functions maybe
from the BSDs that have a better license.
--Ken
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
