]> git.ipfire.org Git - thirdparty/krb5.git/commit
Enable PKINIT if at least one group is available 1303/head
authorGreg Hudson <ghudson@mit.edu>
Tue, 30 May 2023 05:21:48 +0000 (01:21 -0400)
committerGreg Hudson <ghudson@mit.edu>
Fri, 2 Jun 2023 05:18:06 +0000 (01:18 -0400)
commit509d8db922e9ad6f108883838473b6178f89874a
tree7d51ebd6195f35e99f693a484988da5b2f432aed
parente991aecd44d9d953e7ceb928f994fd07a0105433
Enable PKINIT if at least one group is available

OpenSSL may no longer allow decoding of non-well-known Diffie-Hellman
group parameters as EVP_PKEY objects in FIPS mode.  However, OpenSSL
does not know about MODP group 2 (1024-bit), which is considered as a
custom group.  As a consequence, the PKINIT kdcpreauth module fails to
load in FIPS mode.

Allow initialization of PKINIT plugin if at least one of the MODP
well-known group parameters successfully decodes.

[ghudson@mit.edu: minor commit message and code edits]

ticket: 9096 (new)
src/plugins/preauth/pkinit/pkinit_clnt.c
src/plugins/preauth/pkinit/pkinit_crypto.h
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c
src/plugins/preauth/pkinit/pkinit_srv.c
src/plugins/preauth/pkinit/pkinit_trace.h