Skip Menu |

Subject: git commit

Enable PKINIT if at least one group is available

OpenSSL may no longer allow decoding of non-well-known Diffie-Hellman
group parameters as EVP_PKEY objects in FIPS mode. However, OpenSSL
does not know about MODP group 2 (1024-bit), which is considered as a
custom group. As a consequence, the PKINIT kdcpreauth module fails to
load in FIPS mode.

Allow initialization of PKINIT plugin if at least one of the MODP
well-known group parameters successfully decodes.

[ minor commit message and code edits]
Author: Greg Hudson <>
Commit: 509d8db922e9ad6f108883838473b6178f89874a
Branch: master
src/plugins/preauth/pkinit/pkinit_clnt.c | 2 +-
src/plugins/preauth/pkinit/pkinit_crypto.h | 3 +-
src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 76 +++++++++++++---------
src/plugins/preauth/pkinit/pkinit_srv.c | 2 +-
src/plugins/preauth/pkinit/pkinit_trace.h | 3 +
5 files changed, 51 insertions(+), 35 deletions(-)