Enable PKINIT if at least one group is available OpenSSL may no longer allow decoding of non-well-known Diffie-Hellman group parameters as EVP_PKEY objects in FIPS mode. However, OpenSSL does not know about MODP group 2 (1024-bit), which is considered as a custom group. As a consequence, the PKINIT kdcpreauth module fails to load in FIPS mode. Allow initialization of PKINIT plugin if at least one of the MODP well-known group parameters successfully decodes. [ghudson@mit.edu: minor commit message and code edits] https://github.com/krb5/krb5/commit/509d8db922e9ad6f108883838473b6178f89874a Author: Greg Hudson Commit: 509d8db922e9ad6f108883838473b6178f89874a Branch: master src/plugins/preauth/pkinit/pkinit_clnt.c | 2 +- src/plugins/preauth/pkinit/pkinit_crypto.h | 3 +- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 76 +++++++++++++--------- src/plugins/preauth/pkinit/pkinit_srv.c | 2 +- src/plugins/preauth/pkinit/pkinit_trace.h | 3 + 5 files changed, 51 insertions(+), 35 deletions(-)