From: | ghudson@mit.edu |
Subject: | git commit |
Enable PKINIT if at least one group is available
OpenSSL may no longer allow decoding of non-well-known Diffie-Hellman
group parameters as EVP_PKEY objects in FIPS mode. However, OpenSSL
does not know about MODP group 2 (1024-bit), which is considered as a
custom group. As a consequence, the PKINIT kdcpreauth module fails to
load in FIPS mode.
Allow initialization of PKINIT plugin if at least one of the MODP
well-known group parameters successfully decodes.
[ghudson@mit.edu: minor commit message and code edits]
https://github.com/krb5/krb5/commit/509d8db922e9ad6f108883838473b6178f89874a
Author: Greg Hudson <ghudson@mit.edu>
Commit: 509d8db922e9ad6f108883838473b6178f89874a
Branch: master
src/plugins/preauth/pkinit/pkinit_clnt.c | 2 +-
src/plugins/preauth/pkinit/pkinit_crypto.h | 3 +-
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 76 +++++++++++++---------
src/plugins/preauth/pkinit/pkinit_srv.c | 2 +-
src/plugins/preauth/pkinit/pkinit_trace.h | 3 +
5 files changed, 51 insertions(+), 35 deletions(-)