From: Tom Yu Date: Wed, 10 Apr 2013 03:47:54 +0000 (-0400) Subject: Allow config of dh_min_bits < 2048 X-Git-Tag: krb5-1.12-alpha1~209 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cae44d2d014985022a001924dce4a56d12c63818;p=thirdparty%2Fkrb5.git Allow config of dh_min_bits < 2048 Allow configuration to override the default dh_min_bits of 2048 to 1024. Disallow configuration of dh_min_bits < 1024, but continue to default to 2048. ticket: 7602 target_version: 1.11.3 tags: pullup --- diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h index 5ecc489728..39d4aaaf55 100644 --- a/src/plugins/preauth/pkinit/pkinit.h +++ b/src/plugins/preauth/pkinit/pkinit.h @@ -73,6 +73,7 @@ extern int longhorn; /* XXX Talking to a Longhorn server? */ #define PKINIT_REQ_CTX_MAGIC 0xdeadbeef #define PKINIT_DEFAULT_DH_MIN_BITS 2048 +#define PKINIT_DH_MIN_CONFIG_BITS 1024 #define KRB5_CONF_KDCDEFAULTS "kdcdefaults" #define KRB5_CONF_LIBDEFAULTS "libdefaults" diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index e379382119..0f5ab32c59 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -1184,10 +1184,11 @@ pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx) KRB5_CONF_PKINIT_DH_MIN_BITS, PKINIT_DEFAULT_DH_MIN_BITS, &plgctx->opts->dh_min_bits); - if (plgctx->opts->dh_min_bits < PKINIT_DEFAULT_DH_MIN_BITS) { - pkiDebug("%s: invalid value (%d) for pkinit_dh_min_bits, " + if (plgctx->opts->dh_min_bits < PKINIT_DH_MIN_CONFIG_BITS) { + pkiDebug("%s: invalid value (%d < %d) for pkinit_dh_min_bits, " "using default value (%d) instead\n", __FUNCTION__, - plgctx->opts->dh_min_bits, PKINIT_DEFAULT_DH_MIN_BITS); + plgctx->opts->dh_min_bits, PKINIT_DH_MIN_CONFIG_BITS, + PKINIT_DEFAULT_DH_MIN_BITS); plgctx->opts->dh_min_bits = PKINIT_DEFAULT_DH_MIN_BITS; }