]> git.ipfire.org Git - thirdparty/krb5.git/commit
projects / thirdparty / krb5.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: fabbf11) | patch
PKINIT ECDH support 1301/head
authorGreg Hudson <ghudson@mit.edu>
Fri, 12 May 2023 19:38:46 +0000 (15:38 -0400)
committerGreg Hudson <ghudson@mit.edu>
Mon, 17 Jul 2023 05:05:37 +0000 (01:05 -0400)
commit0f870b1bcad960fd5319a3f97aafd7f4a289e2fb
tree3f91435fcf5a368d9b0507babd2ea4461e487d8ctree
parentfabbf11f457a84904a5fa251584fd660a52fa583commit | diff
PKINIT ECDH support

Add support for elliptic curve key exchange to PKINIT (RFC 5349
section 4).  Extend pkinit_dh_min_bits to allow the string values
"P-256", "P-384", and "P-521", using rough finite-field strength
equivalents to rank them relative to the Oakley Diffie-Hellman groups.

When processing TD-DH-PARAMETERS on the client, only accept the three
Oakley groups or the three supported elliptic curve groups.
Previously we accepted any Diffie-Hellman parameters that passed
EVP_PKEY_param_check()/DH_check() and had equal or better bit strength
to the original proposal.

ticket: 9095 (new)
12 files changed:
doc/admin/conf_files/kdc_conf.rst diff | blob | blame | history
doc/admin/conf_files/krb5_conf.rst diff | blob | blame | history
src/plugins/preauth/pkinit/pkinit.h diff | blob | blame | history
src/plugins/preauth/pkinit/pkinit_clnt.c diff | blob | blame | history
src/plugins/preauth/pkinit/pkinit_constants.c diff | blob | blame | history
src/plugins/preauth/pkinit/pkinit_crypto.h diff | blob | blame | history
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c diff | blob | blame | history
src/plugins/preauth/pkinit/pkinit_crypto_openssl.h diff | blob | blame | history
src/plugins/preauth/pkinit/pkinit_lib.c diff | blob | blame | history
src/plugins/preauth/pkinit/pkinit_srv.c diff | blob | blame | history
src/plugins/preauth/pkinit/pkinit_trace.h diff | blob | blame | history
src/tests/t_pkinit.py diff | blob | blame | history
Mirror of https://github.com/krb5/krb5.git