From 1bea471f6ec445a80d966de4233b270c4c2801c4 Mon Sep 17 00:00:00 2001 From: Ken Hornstein Date: Fri, 6 Dec 2024 15:29:33 -0500 Subject: [PATCH] Build PKINIT on Windows Include PKINIT in the Windows build if OPENSSL_DIR is set. In the installer, require PKINIT to be built, and require OPENSSL_VERSION to be set in the environment. Include the PKINIT module and a copy of the OpenSSL libcrypto DLL. Document the OpenSSL dependency in windows/README. Also clarify the Visual Studio dependencies, and restore the prep-windows build step which was accidentally removed by commit 5f33fb2cf19562175c8271cb9c54a67212f63b93. [ghudson@mit.edu: added CI and installer integration; edited README and commit message] ticket: 9162 (new) --- .github/workflows/build.yml | 2 + src/Makefile.in | 22 +++- src/config/win-pre.in | 12 +- src/include/win-mac.h | 4 + src/lib/krb5_32.def | 7 ++ src/plugins/preauth/pkinit/Makefile.in | 23 ++++ src/plugins/preauth/pkinit/pkinit.def | 3 + src/plugins/preauth/pkinit/pkinit.h | 2 + src/plugins/preauth/pkinit/pkinit_accessor.c | 4 +- src/plugins/preauth/pkinit/pkinit_accessor.h | 2 +- src/plugins/preauth/pkinit/pkinit_clnt.c | 1 - .../preauth/pkinit/pkinit_crypto_openssl.c | 116 +++++++++--------- src/plugins/preauth/pkinit/pkinit_identity.c | 1 - src/plugins/preauth/pkinit/pkinit_matching.c | 3 +- src/windows/README | 64 ++++++---- src/windows/installer/wix/config.wxi | 2 + src/windows/installer/wix/features.wxi | 2 + src/windows/installer/wix/files.wxi | 7 ++ src/windows/installer/wix/platform.wxi | 4 + 19 files changed, 186 insertions(+), 95 deletions(-) create mode 100644 src/plugins/preauth/pkinit/pkinit.def diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 183b7c2934..c16e77c43e 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -70,6 +70,8 @@ jobs: runs-on: windows-latest env: KRB_INSTALL_DIR: C:\kfw + OPENSSL_DIR: C:\Program Files\OpenSSL + OPENSSL_VERSION: 1_1 steps: - name: Checkout repository uses: actions/checkout@v1 diff --git a/src/Makefile.in b/src/Makefile.in index e2286c5eed..01fb060f73 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -32,7 +32,8 @@ SUBDIRS=util include lib \ plugins/tls/k5tls \ kdc kadmin kprop clients appl tests \ config-files build-tools man doc @po@ -WINSUBDIRS=include util lib ccapi windows clients appl plugins\preauth\spake +WINSUBDIRS=include util lib ccapi windows clients appl plugins\preauth\spake \ + $(PKINIT_SUBDIR) BUILDTOP=$(REL). SRCS = @@ -105,6 +106,17 @@ config-windows: Makefile-windows # $(MAKE) -$(MFLAGS) # cd .. +# +# Build the pkinit plugin if OpenSSL was configured +# +##DOS##!ifdef OPENSSL_DIR +##DOS##PKINIT_SUBDIR=plugins\preauth\pkinit +##DOS##PKINIT_MAKEFILE=$(PKINIT_SUBDIR)\Makefile +##DOS##!else +##DOS##PKINIT_SUBDIR= +##DOS##PKINIT_MAKEFILE= +##DOS##!endif + # # We need outpre-dir explicitly in here because we may # try to build wconfig on a config-windows. @@ -154,7 +166,7 @@ WINMAKEFILES=Makefile \ windows\Makefile windows\lib\Makefile windows\ms2mit\Makefile \ windows\kfwlogon\Makefile windows\leashdll\Makefile \ windows\leash\Makefile windows\leash\htmlhelp\Makefile \ - plugins\preauth\spake\Makefile + plugins\preauth\spake\Makefile $(PKINIT_MAKEFILE) ##DOS##Makefile-windows: $(MKFDEP) $(WINMAKEFILES) @@ -278,6 +290,8 @@ WINMAKEFILES=Makefile \ ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##plugins\preauth\spake\Makefile: plugins\preauth\spake\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ +##DOS##plugins\preauth\pkinit\Makefile: plugins\preauth\pkinit\Makefile.in $(MKFDEP) +##DOS## $(WCONFIG) config < $@.in > $@ clean-windows:: Makefile-windows @@ -485,6 +499,10 @@ install-windows: $(INSTALLDBGSYMS) clients\kswitch\$(OUTPRE)kswitch.pdb "$(KRB_INSTALL_DIR)\bin\." copy plugins\preauth\spake\$(OUTPRE)$(SPAKELIB).dll "$(KRB_INSTALL_DIR)\bin\plugins\preauth\." $(INSTALLDBGSYMS) plugins\preauth\spake\$(OUTPRE)$(SPAKELIB).pdb "$(KRB_INSTALL_DIR)\bin\plugins\preauth\." +##DOS##!ifdef OPENSSL_DIR + copy plugins\preauth\pkinit\$(OUTPRE)$(PKINITLIB).dll "$(KRB_INSTALL_DIR)\bin\plugins\preauth\." + $(INSTALLDBGSYMS) plugins\preauth\pkinit\$(OUTPRE)$(PKINITLIB).pdb "$(KRB_INSTALL_DIR)\bin\plugins\preauth\." +##DOS##!endif check-prerecurse: runenv.py $(RM) $(SKIPTESTS) diff --git a/src/config/win-pre.in b/src/config/win-pre.in index 753fde7ccb..0bcb280df5 100644 --- a/src/config/win-pre.in +++ b/src/config/win-pre.in @@ -117,7 +117,7 @@ KFWFLAGS=-DUSE_LEASH=1 -DDEBUG -D_CRTDBG_MAP_ALLOC CC=cl PDB_OPTS=-Fd$(OUTPRE)\ -FD -CPPFLAGS=-I$(top_srcdir)\include -I$(top_srcdir)\include\krb5 $(DNSFLAGS) -DWIN32_LEAN_AND_MEAN -DKRB5_DEPRECATED=1 -DKRB5_PRIVATE -D_CRT_SECURE_NO_DEPRECATE $(KFWFLAGS) $(TIME_T_FLAGS) +CPPFLAGS=-I$(top_srcdir)\include -I$(top_srcdir)\include\krb5 $(DNSFLAGS) -DWIN32_LEAN_AND_MEAN -DKRB5_DEPRECATED=1 -DKRB5_PRIVATE -D_CRT_SECURE_NO_DEPRECATE $(KFWFLAGS) $(TIME_T_FLAGS) $(OSSLINCLUDE) # Treat the following warnings as errors: # 4020: too many actual parameters # 4024: different types for formal and actual parameter @@ -189,6 +189,16 @@ GLIB=$(BUILDTOP)\lib\$(OUTPRE)gssapi$(BITS).lib CCLIB=krbcc$(BITS) SPAKELIB=spake$(BITS) +!ifdef OPENSSL_DIR +OSSLLIB="$(OPENSSL_DIR)\lib\libcrypto.lib" +OSSLINC="-I$(OPENSSL_DIR)\include" +PKINITLIB=pkinit$(BITS) +!else +OSSLLIB= +OSSLINC= +PKINITLIB= +!endif + KRB4_INCLUDES=-I$(BUILDTOP)/include/kerberosIV COM_ERR_DEPS = $(BUILDTOP)/include/com_err.h diff --git a/src/include/win-mac.h b/src/include/win-mac.h index 0fd3a29e5f..b2a460131a 100644 --- a/src/include/win-mac.h +++ b/src/include/win-mac.h @@ -236,4 +236,8 @@ HINSTANCE get_lib_instance(void); #define KRB5_CALLCONV_C #endif +#ifndef PKCS11_MODNAME +#define PKCS11_MODNAME "C:\\Program Files\\OpenSC Project\\OpenSC\\pkcs11\\opensc-pkcs11.dll" +#endif + #endif /* _KRB5_WIN_MAC_H */ diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def index b1610974b1..c5a460185d 100644 --- a/src/lib/krb5_32.def +++ b/src/lib/krb5_32.def @@ -510,3 +510,10 @@ EXPORTS k5_sname_compare @474 ; PRIVATE GSSAPI krb5_kdc_sign_ticket @475 ; krb5_kdc_verify_ticket @476 ; + +; new in 1.22 +; private symbols used by PKINIT module + encode_krb5_sp80056a_other_info @477 ; PRIVATE + encode_krb5_pkinit_supp_pub_info @478 ; PRIVATE + krb5int_copy_data_contents @479 ; PRIVATE + krb5_free_pa_data @480 ; PRIVATE diff --git a/src/plugins/preauth/pkinit/Makefile.in b/src/plugins/preauth/pkinit/Makefile.in index 86f143d72d..d57088c4d4 100644 --- a/src/plugins/preauth/pkinit/Makefile.in +++ b/src/plugins/preauth/pkinit/Makefile.in @@ -12,6 +12,9 @@ SHLIB_EXPDEPS = \ $(TOPLIBD)/libkrb5$(SHLIBEXT) SHLIB_EXPLIBS= -lkrb5 $(COM_ERR_LIB) -lk5crypto -lcrypto $(DL_LIB) $(SUPPORT_LIB) $(LIBS) +WINLIBS = $(KLIB) $(SLIB) $(PLIB) $(CLIB) $(OSSLLIB) +OSSLINCLUDE = $(OSSLINC) + STLIBOBJS= \ pkinit_accessor.o \ pkinit_srv.o \ @@ -35,6 +38,19 @@ SRCS= \ $(srcdir)/pkinit_matching.c \ $(srcdir)/pkinit_crypto_openssl.c +# +# Don't include pkinit_srv.c in the Windows object list since we +# don't need it. +# +OBJS= $(OUTPRE)pkinit_accessor.$(OBJEXT) \ + $(OUTPRE)pkinit_lib.$(OBJEXT) \ + $(OUTPRE)pkinit_clnt.$(OBJEXT) \ + $(OUTPRE)pkinit_constants.$(OBJEXT) \ + $(OUTPRE)pkinit_profile.$(OBJEXT) \ + $(OUTPRE)pkinit_identity.$(OBJEXT) \ + $(OUTPRE)pkinit_matching.$(OBJEXT) \ + $(OUTPRE)pkinit_crypto_openssl.$(OBJEXT) + all-unix: all-liblinks install-unix: install-libs clean-unix:: clean-liblinks clean-libs clean-libobjs @@ -48,6 +64,13 @@ check-unix: pkinit_kdf_test pkinit_kdf_test: pkinit_kdf_test.o $(STLIBOBJS) $(SHLIB_EXPDEPS) $(CC_LINK) -o $@ pkinit_kdf_test.o $(STLIBOBJS) $(SHLIB_EXPLIBS) +all-windows: $(OUTPRE)$(PKINITLIB).dll +clean-windows:: + $(RM) $(OUTPRE)$(PKINITLIB).dll + +$(OUTPRE)$(PKINITLIB).dll: pkinit.def $(OBJS) + link /dll $(LOPTS) -def:pkinit.def -out:$*.dll $(OBJS) $(WINLIBS) + @libnover_frag@ @libobj_frag@ diff --git a/src/plugins/preauth/pkinit/pkinit.def b/src/plugins/preauth/pkinit/pkinit.def new file mode 100644 index 0000000000..4736e35e84 --- /dev/null +++ b/src/plugins/preauth/pkinit/pkinit.def @@ -0,0 +1,3 @@ +EXPORTS + + clpreauth_pkinit_initvt diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h index 7ba7155bb4..200e75afe7 100644 --- a/src/plugins/preauth/pkinit/pkinit.h +++ b/src/plugins/preauth/pkinit/pkinit.h @@ -97,7 +97,9 @@ static inline void pkiDebug (const char *fmt, ...) { } /* Solaris compiler doesn't grok __FUNCTION__ * hack for now. Fix all the uses eventually. */ +#ifndef _WIN32 #define __FUNCTION__ __func__ +#endif /* Macros to deal with converting between various data types... */ #define PADATA_TO_KRB5DATA(pad, k5d) \ diff --git a/src/plugins/preauth/pkinit/pkinit_accessor.c b/src/plugins/preauth/pkinit/pkinit_accessor.c index 0908f1b9bd..5d9463e84c 100644 --- a/src/plugins/preauth/pkinit/pkinit_accessor.c +++ b/src/plugins/preauth/pkinit/pkinit_accessor.c @@ -69,8 +69,8 @@ krb5_error_code krb5_error_code (*k5int_encode_krb5_kdc_req_body)(const krb5_kdc_req *rep, krb5_data **code); -void KRB5_CALLCONV -(*k5int_krb5_free_kdc_req)(krb5_context, krb5_kdc_req * ); +void +(KRB5_CALLCONV *k5int_krb5_free_kdc_req)(krb5_context, krb5_kdc_req * ); void (*k5int_set_prompt_types)(krb5_context, krb5_prompt_type *); diff --git a/src/plugins/preauth/pkinit/pkinit_accessor.h b/src/plugins/preauth/pkinit/pkinit_accessor.h index e510ab624e..37e2b53073 100644 --- a/src/plugins/preauth/pkinit/pkinit_accessor.h +++ b/src/plugins/preauth/pkinit/pkinit_accessor.h @@ -66,7 +66,7 @@ extern krb5_error_code (*k5int_decode_krb5_td_trusted_certifiers) extern krb5_error_code (*k5int_encode_krb5_kdc_req_body) (const krb5_kdc_req *rep, krb5_data **code); -extern void KRB5_CALLCONV (*k5int_krb5_free_kdc_req) +extern void (KRB5_CALLCONV *k5int_krb5_free_kdc_req) (krb5_context, krb5_kdc_req * ); extern void (*k5int_set_prompt_types) (krb5_context, krb5_prompt_type *); diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index 305a59da3b..9312ff4b1d 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -33,7 +33,6 @@ #include "pkinit.h" #include "k5-json.h" -#include #include /** diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index 14370ae34b..8098028eb0 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -34,7 +34,6 @@ #include "k5-err.h" #include "k5-hex.h" #include "pkinit.h" -#include #include #include @@ -1867,7 +1866,7 @@ cms_signeddata_create(krb5_context context, #ifdef DEBUG_SIG print_buffer(sig, sig_len); #endif - free(abuf); + OPENSSL_free(abuf); if (retval) goto cleanup2; @@ -4304,12 +4303,9 @@ pkinit_get_certs_dir(krb5_context context, krb5_principal princ) { krb5_error_code retval = ENOMEM; - DIR *d = NULL; - struct dirent *dentry = NULL; - char certname[1024]; - char keyname[1024]; - int i = 0, len; - char *dirname, *suf; + int ncreds = 0, len, i; + char *dirname, *suf, *name, **fnames = NULL; + char *certname = NULL, *keyname = NULL; if (idopts->cert_filename == NULL) { TRACE_PKINIT_NO_CERT(context); @@ -4317,53 +4313,51 @@ pkinit_get_certs_dir(krb5_context context, } dirname = idopts->cert_filename; - d = opendir(dirname); - if (d == NULL) - return errno; + retval = k5_dir_filenames(dirname, &fnames); + if (retval) + return retval; /* * We'll assume that certs are named XXX.crt and the corresponding * key is named XXX.key */ - while ((i < MAX_CREDS_ALLOWED) && (dentry = readdir(d)) != NULL) { - /* Ignore subdirectories and anything starting with a dot */ -#ifdef DT_DIR - if (dentry->d_type == DT_DIR) - continue; -#endif - if (dentry->d_name[0] == '.') + for (i = 0; fnames[i] != NULL; i++) { + /* Ignore anything starting with a dot */ + name = fnames[i]; + if (name[0] == '.') continue; - len = strlen(dentry->d_name); + len = strlen(name); if (len < 5) continue; - suf = dentry->d_name + (len - 4); + suf = name + (len - 4); if (strncmp(suf, ".crt", 4) != 0) continue; - /* Checked length */ - if (strlen(dirname) + strlen(dentry->d_name) + 2 > sizeof(certname)) { - pkiDebug("%s: Path too long -- directory '%s' and file '%s'\n", - __FUNCTION__, dirname, dentry->d_name); - continue; - } - snprintf(certname, sizeof(certname), "%s/%s", dirname, dentry->d_name); - snprintf(keyname, sizeof(keyname), "%s/%s", dirname, dentry->d_name); + retval = k5_path_join(dirname, name, &certname); + if (retval) + goto cleanup; + retval = k5_path_join(dirname, name, &keyname); + if (retval) + goto cleanup; + len = strlen(keyname); keyname[len - 3] = 'k'; keyname[len - 2] = 'e'; keyname[len - 1] = 'y'; retval = pkinit_load_fs_cert_and_key(context, id_cryptoctx, - certname, keyname, i); - if (retval == 0) { - TRACE_PKINIT_LOADED_CERT(context, dentry->d_name); - i++; + certname, keyname, ncreds); + free(certname); + free(keyname); + certname = keyname = NULL; + if (!retval) { + TRACE_PKINIT_LOADED_CERT(context, name); + if (++ncreds >= MAX_CREDS_ALLOWED) + break; } - else - continue; } - if (!id_cryptoctx->defer_id_prompt && i == 0) { + if (!id_cryptoctx->defer_id_prompt && ncreds == 0) { TRACE_PKINIT_NO_CERT_AND_KEY(context, idopts->cert_filename); retval = ENOENT; goto cleanup; @@ -4372,9 +4366,9 @@ pkinit_get_certs_dir(krb5_context context, retval = 0; cleanup: - if (d) - closedir(d); - + k5_free_filenames(fnames); + free(certname); + free(keyname); return retval; } @@ -5166,34 +5160,28 @@ load_cas_and_crls_dir(krb5_context context, char *dirname) { krb5_error_code retval = EINVAL; - DIR *d = NULL; - struct dirent *dentry = NULL; - char filename[1024]; + char **fnames = NULL, *filename; + int i; if (dirname == NULL) return EINVAL; - d = opendir(dirname); - if (d == NULL) - return ENOENT; + retval = k5_dir_filenames(dirname, &fnames); + if (retval) + return retval; - while ((dentry = readdir(d))) { - if (strlen(dirname) + strlen(dentry->d_name) + 2 > sizeof(filename)) { - pkiDebug("%s: Path too long -- directory '%s' and file '%s'\n", - __FUNCTION__, dirname, dentry->d_name); - goto cleanup; - } - /* Ignore subdirectories and anything starting with a dot */ -#ifdef DT_DIR - if (dentry->d_type == DT_DIR) - continue; -#endif - if (dentry->d_name[0] == '.') + for (i = 0; fnames[i] != NULL; i++) { + /* Ignore anything starting with a dot */ + if (fnames[i][0] == '.') continue; - snprintf(filename, sizeof(filename), "%s/%s", dirname, dentry->d_name); + + retval = k5_path_join(dirname, fnames[i], &filename); + if (retval) + goto cleanup; retval = load_cas_and_crls(context, plg_cryptoctx, req_cryptoctx, id_cryptoctx, catype, filename); + free(filename); if (retval) goto cleanup; } @@ -5201,9 +5189,7 @@ load_cas_and_crls_dir(krb5_context context, retval = 0; cleanup: - if (d != NULL) - closedir(d); - + k5_free_filenames(fnames); return retval; } @@ -5712,3 +5698,13 @@ parse_dh_min_bits(krb5_context context, const char *str) TRACE_PKINIT_DH_INVALID_MIN_BITS(context, str); return PKINIT_DEFAULT_DH_MIN_BITS; } + +#ifdef _WIN32 +BOOL WINAPI +DllMain(HANDLE hModule, DWORD fdwReason, LPVOID lpvReserved) +{ + if (fdwReason == DLL_PROCESS_ATTACH) + pkinit_openssl_init__auxinit(); + return TRUE; +} +#endif /* _WIN32 */ diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c index 2e29a8c45b..0dcfcfc46a 100644 --- a/src/plugins/preauth/pkinit/pkinit_identity.c +++ b/src/plugins/preauth/pkinit/pkinit_identity.c @@ -30,7 +30,6 @@ */ #include "pkinit.h" -#include static void free_list(char **list) diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c index b42485a50a..0ea072c887 100644 --- a/src/plugins/preauth/pkinit/pkinit_matching.c +++ b/src/plugins/preauth/pkinit/pkinit_matching.c @@ -33,9 +33,8 @@ #include #include #include -#include -#include #include "pkinit.h" +#include "k5-regex.h" typedef struct _pkinit_cert_info pkinit_cert_info; diff --git a/src/windows/README b/src/windows/README index 5ceff9adca..7ca84a8eec 100644 --- a/src/windows/README +++ b/src/windows/README @@ -10,13 +10,24 @@ To build Kerberos 5 on Windows, you will need the following: * A version of Visual Studio (at least 2013) which includes the Microsoft Foundation Classes libraries. These instructions will - work for Visual Studio 2017 Community or Professional, both of which - include the MFC libraries if the "Visual C++ MFC" checkbox is - selected after enabling the "Desktop development with C++" workload. - If you do not plan to build the graphical ticket manager - application, the MFC libraries are not required. + work for Visual Studio 2022 Community or Professional. Include + the following components: -* A version of Perl. + - Under Workloads, select Desktop development with C++ + - Under Individual components -> SDKs, libraries, and frameworks, + select "C++ MFC for latest v*** build tools (x86 & x64)". This + component is not required if you do not wish to build the + graphical ticket manager. + - Under Individual components -> Compilers, build tools, and + runtimes, select "C++ 20** Redistributable MSMs". This component + is not required if you do not wish to build the installer. + +* An OpenSSL installation, including the headers, DLLs, and import + .LIB files. This dependency is optional if you are not building + PKINIT. We recommend building OpenSSL from source code. + +* A version of Perl. We recommend Strawberry Perl as it will work + to build OpenSSL. * Some common Unix utilities such as sed/awk/cp/cat installed in the command-line path. @@ -28,20 +39,12 @@ To build Kerberos 5 on Windows, you will need the following: A simple way to get the necessary Unix utilities is to install Git BASH from https://gitforwindows.org and configure it to add the Unix -utilities to the command-line path. In some versions of Windows (not -the most current versions), the Unix utilities can alternatively be -obtained via the Utilities and SDK for UNIX-based Applications, which -may be enabled as a Windows feature and then the components installed. -Note that the Windows nmake will not find the SUA awk utility in the -path unless it is named awk.exe; the permissions on the utility may -need correcting if awk.exe is created as a copy of the original awk. - -Git BASH contains a version of Perl, which will work to build krb5 if -the newlines in the source tree are not translated to native newlines. -Strawberry Perl will work regardless of whether newlines are -translated. If both Git BASH and Strawberry Perl are installed, you -may need to adjust the command line path to ensure that the preferred -Perl appears first. +utilities to the command-line path. + +Git BASH contains a version of Perl, which will work to build krb5, +but not to build OpenSSL from source. If both Git BASH and Strawberry +Perl are installed, you may need to adjust the command line path to +ensure that the preferred Perl appears first when building OpenSSL. The krb5 source tree may be obtained either directly on the Windows machine with a native git client cloning the krb5 public mirror at @@ -75,6 +78,14 @@ the MSI installer, this directory should be a temporary staging area in or near your build tree. The directory must exist before nmake install is run. +Set the environment variable OPENSSL_DIR to point to the root of the +OpenSSL install tree, and the environment variable OPENSSL_VERSION to +the version string as it apears in the DLL names (such as "1_1" or +"3"). Include files should be in %OPENSSL_DIR%\include, import .LIB +files should be in %OPENSSL_DIR%\lib, and the libcrypto DLL should be +in %OPENSSL_DIR%\bin\libcrypto-%OPENSSL_VERSION%-x64.dll. These steps +are optional if you do not wish to build PKINIT. + To skip building the graphical ticket manager, run "set NO_LEASH=1" before building, and do not build the installer. @@ -82,11 +93,14 @@ Run the following commands in a Visual Studio command prompt: 1) set PATH=%PATH%;"%WindowsSdkVerBinPath%"\x86 # To get uicc.exe 2) set KRB_INSTALL_DIR=\path\to\dir # Where bin/include/lib lives - 3) cd xxx\src # Go to where source lives - 4) nmake [NODEBUG=1] # Build the sources - 5) nmake install [NODEBUG=1] # Copy libraries/executables - 6) cd windows\installer\wix # Go to the installer source - 7) nmake [NODEBUG=1] # Build the installer + 3) set OPENSSL_DIR=\path\to\openssl # Where OpenSSL lives + 4) set OPENSSL_VERSION=3 # Version of OpenSSL DLLs + 5) cd xxx\src # Go to where source lives + 6) nmake -f Makefile.in prep-windows # Create Makefile for Windows + 7) nmake [NODEBUG=1] # Build the sources + 8) nmake install [NODEBUG=1] # Copy libraries/executables + 9) cd windows\installer\wix # Go to the installer source +10) nmake [NODEBUG=1] # Build the installer Step 1 may be skipped if uicc is already in the command-line path (try running "uicc" to see if you get a usage message or a not-found diff --git a/src/windows/installer/wix/config.wxi b/src/windows/installer/wix/config.wxi index ea6e610a01..ffd68d9cde 100644 --- a/src/windows/installer/wix/config.wxi +++ b/src/windows/installer/wix/config.wxi @@ -38,6 +38,8 @@ + + diff --git a/src/windows/installer/wix/features.wxi b/src/windows/installer/wix/features.wxi index 3405dc4827..de99ad7edb 100644 --- a/src/windows/installer/wix/features.wxi +++ b/src/windows/installer/wix/features.wxi @@ -63,7 +63,9 @@ + + diff --git a/src/windows/installer/wix/files.wxi b/src/windows/installer/wix/files.wxi index 805856eae2..675eea803e 100644 --- a/src/windows/installer/wix/files.wxi +++ b/src/windows/installer/wix/files.wxi @@ -272,6 +272,9 @@ + + + @@ -305,8 +308,12 @@ + + + + diff --git a/src/windows/installer/wix/platform.wxi b/src/windows/installer/wix/platform.wxi index 006e355440..470400aa14 100644 --- a/src/windows/installer/wix/platform.wxi +++ b/src/windows/installer/wix/platform.wxi @@ -73,6 +73,10 @@ + + + + -- 2.47.2