krb5 commit [krb5-1.10]: Allow config of dh_min_bits < 2048

Tom Yu tlyu at MIT.EDU
Tue Jun 4 22:05:10 EDT 2013 

https://github.com/krb5/krb5/commit/508ef6703dc429dccbe8a0940ca0ecb80e3bd9b2
commit 508ef6703dc429dccbe8a0940ca0ecb80e3bd9b2
Author: Tom Yu <tlyu at mit.edu>
Date:   Tue Apr 9 23:47:54 2013 -0400

    Allow config of dh_min_bits < 2048
    
    Allow configuration to override the default dh_min_bits of 2048 to
    1024.  Disallow configuration of dh_min_bits < 1024, but continue to
    default to 2048.
    
    (cherry picked from commit cae44d2d014985022a001924dce4a56d12c63818)
    
    ticket: 7659 (new)
    version_fixed: 1.10.6
    status: resolved

 src/plugins/preauth/pkinit/pkinit.h     |    1 +
 src/plugins/preauth/pkinit/pkinit_srv.c |    7 ++++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h
index 48e57fe..d8a8d31 100644
--- a/src/plugins/preauth/pkinit/pkinit.h
+++ b/src/plugins/preauth/pkinit/pkinit.h
@@ -72,6 +72,7 @@ extern int longhorn;	    /* XXX Talking to a Longhorn server? */
 #define PKINIT_REQ_CTX_MAGIC	0xdeadbeef
 
 #define PKINIT_DEFAULT_DH_MIN_BITS  2048
+#define PKINIT_DH_MIN_CONFIG_BITS   1024
 
 #define KRB5_CONF_KDCDEFAULTS                   "kdcdefaults"
 #define KRB5_CONF_LIBDEFAULTS                   "libdefaults"
diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c
index c271bf9..2402f88 100644
--- a/src/plugins/preauth/pkinit/pkinit_srv.c
+++ b/src/plugins/preauth/pkinit/pkinit_srv.c
@@ -1176,10 +1176,11 @@ pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx)
                               KRB5_CONF_PKINIT_DH_MIN_BITS,
                               PKINIT_DEFAULT_DH_MIN_BITS,
                               &plgctx->opts->dh_min_bits);
-    if (plgctx->opts->dh_min_bits < PKINIT_DEFAULT_DH_MIN_BITS) {
-        pkiDebug("%s: invalid value (%d) for pkinit_dh_min_bits, "
+    if (plgctx->opts->dh_min_bits < PKINIT_DH_MIN_CONFIG_BITS) {
+        pkiDebug("%s: invalid value (%d < %d) for pkinit_dh_min_bits, "
                  "using default value (%d) instead\n", __FUNCTION__,
-                 plgctx->opts->dh_min_bits, PKINIT_DEFAULT_DH_MIN_BITS);
+                 plgctx->opts->dh_min_bits, PKINIT_DH_MIN_CONFIG_BITS,
+                 PKINIT_DEFAULT_DH_MIN_BITS);
         plgctx->opts->dh_min_bits = PKINIT_DEFAULT_DH_MIN_BITS;
     }

More information about the cvs-krb5 mailing list