Allow config of dh_min_bits < 2048

author Tom Yu <tlyu@mit.edu>

Wed, 10 Apr 2013 03:47:54 +0000 (23:47 -0400)

committer Tom Yu <tlyu@mit.edu>

Wed, 5 Jun 2013 01:40:31 +0000 (21:40 -0400)
author Tom Yu <tlyu@mit.edu>
Wed, 10 Apr 2013 03:47:54 +0000 (23:47 -0400)
committer Tom Yu <tlyu@mit.edu>
Wed, 5 Jun 2013 01:40:31 +0000 (21:40 -0400)
diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h

index 48e57fe87f0e3a6348f47ba098fffd771b06b153..d8a8d31a66d44d0a4e973c1b1ac0abd2f4088e58 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit.h
+++ b/src/plugins/preauth/pkinit/pkinit.h
@@ -72,6 +72,7 @@ extern int longhorn;      /* XXX Talking to a Longhorn server? */
  #define PKINIT_REQ_CTX_MAGIC   0xdeadbeef
  
  #define PKINIT_DEFAULT_DH_MIN_BITS  2048
+#define PKINIT_DH_MIN_CONFIG_BITS   1024
  
  #define KRB5_CONF_KDCDEFAULTS                   "kdcdefaults"
  #define KRB5_CONF_LIBDEFAULTS                   "libdefaults"
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c

index c271bf98148c1323398cab32c581a7a27ad5fa81..2402f8869217095851de7f1f82b0e8b4ed0ced27 100644 (file)
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -1176,10 +1176,11 @@ pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx)
                                KRB5_CONF_PKINIT_DH_MIN_BITS,
                                PKINIT_DEFAULT_DH_MIN_BITS,
                                &plgctx->opts->dh_min_bits);
-    if (plgctx->opts->dh_min_bits < PKINIT_DEFAULT_DH_MIN_BITS) {
-        pkiDebug("%s: invalid value (%d) for pkinit_dh_min_bits, "
+    if (plgctx->opts->dh_min_bits < PKINIT_DH_MIN_CONFIG_BITS) {
+        pkiDebug("%s: invalid value (%d < %d) for pkinit_dh_min_bits, "
                   "using default value (%d) instead\n", __FUNCTION__,
-                 plgctx->opts->dh_min_bits, PKINIT_DEFAULT_DH_MIN_BITS);
+                 plgctx->opts->dh_min_bits, PKINIT_DH_MIN_CONFIG_BITS,
+                 PKINIT_DEFAULT_DH_MIN_BITS);
          plgctx->opts->dh_min_bits = PKINIT_DEFAULT_DH_MIN_BITS;
      }
author	Tom Yu <tlyu@mit.edu>
	Wed, 10 Apr 2013 03:47:54 +0000 (23:47 -0400)
committer	Tom Yu <tlyu@mit.edu>
	Wed, 5 Jun 2013 01:40:31 +0000 (21:40 -0400)
src/plugins/preauth/pkinit/pkinit.h		patch \| blob \| blame \| history
src/plugins/preauth/pkinit/pkinit_srv.c		patch \| blob \| blame \| history