[krbdev.mit.edu #7596] PKINIT should allow missing DH param Q
Reinhard Kugler via RT
rt-comment at krbdev.mit.edu
Wed Apr 3 06:05:10 EDT 2013
I temporarily removed the check of the dh key length
in pkinit_crypto_openssl.c
/* KDC SHOULD check to see if the key parameters satisfy its policy */
dh_prime_bits = BN_num_bits(dh->p);
/*if (minbits && dh_prime_bits < minbits) {
pkiDebug("client sent dh params with %d bits, we require %d\n",
dh_prime_bits, minbits);
goto cleanup;
}*/
pkinit succeeded and windows was able to acquire a TGT
More information about the krb5-bugs
mailing list