NSS for PKINIT, in-progress patches available, feedback sought

Greg Hudson ghudson at MIT.EDU
Tue Oct 11 13:37:20 EDT 2011

On 10/10/2011 06:33 PM, Greg Hudson wrote:
> I'm actually not sure where SECMOD_LoadUserModule looks for relative
> paths.

It appears to translate into a straight dlopen() call on Unix.  On
Linux, dlopen() consults the rpath or runpath values in... something (I
can't figure out what exactly, but in my tests it was checking an rpath
value which either came from the pkinit module object or an NSS library,
since none was set on krb5kdc or the nspr library).

Anyway, I assume this problem will go away if and when nsspem becomes a
built-in module for NSS, so let's ignore this problem for now.

In a line-by-line review, I found just one more problem: don't use
strcpy, strcat, or sprintf, even safely; use strlcpy, strlcat, or
snprintf instead.  (k5-platform.h and libkrb5support ensure the
availability of those functions.)

If you fix those and modify the nsspem loading code to use
PR_GetLibraryName, I should be able to commit this.

More information about the krbdev mailing list