I've just uploaded a webrev with what is hopefully the final bits for the PKINIT 1.6.3 resync. This webrev includes all my changes to pkinit, code review comments and some other misc fixes.
See the webrev here: http://cr.opensolaris.org/~mbp/pkinit-updates/ The following need review: /usr/lib/krb5/plugins/preauth/* * Build/Makefile changes * Default to /usr/lib/libpkcs11.so rather than opensc-pkcs11.so * Minor cleanups and lint fixes * Fix crash when using password protected PKCS11/PKCS12 keys/certs for krb5kdc * Better error messages for common configuration problems for krb5kdc * Internationalization fixes * Fixes for the case where libpkcs11 is alreay being used by the application calling pkinit. This is the default on Solaris for kinit/krb5kdc as libpkcs11 is used for all crypto. * A new fallback when searching for a key in a PKCS11 token - if all else fails then try to find a key with the same RSA modulus as from the cert. usr/src/lib/gss_mechs/mech_krb5/support/plugins.c * Changed the plugin code to only load files which end in ".so" usr/src/uts/common/gssapi/mechs/krb5/include/k5-platform.h usr/src/uts/common/gssapi/mechs/krb5/krb5/krb/serialize.c usr/src/uts/common/gssapi/mechs/krb5/mech/k5sealv3.c usr/src/lib/krb5/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h usr/src/uts/common/gssapi/mechs/krb5/include/k5-platform-load_16.h usr/src/uts/common/gssapi/mechs/krb5/include/k5-platform-load_32.h usr/src/uts/common/gssapi/mechs/krb5/include/k5-platform-load_64.h usr/src/uts/common/gssapi/mechs/krb5/include/k5-platform-store_16.h usr/src/uts/common/gssapi/mechs/krb5/include/k5-platform-store_32.h usr/src/uts/common/gssapi/mechs/krb5/include/k5-platform-store_64.h * Had to split up k5-platform.h into a number of header files. Lint didn't think too much of unused inline static funcs appearing everywhere usr/src/cmd/krb5/klist/Makefile * Uses func from mech_krb5 instead of libsocket due to modified define - no longer needs to directly link against libsocket.so For /usr/lib/krb5/plugins/preauth/pkinit/pkinit* I've generated a second webrev against MIT's pkinit which should make it easier to see where we differ to MIT. See it here: http://cr.opensolaris.org/~mbp/pkinit-updates_mit/ The code has been build on both sparc and x86 both full clobber builds and incremental with no warnings or errors. -Mark
