diff options
| author | Greg Hudson <ghudson@mit.edu> | 2023-05-12 15:38:46 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2023-07-17 01:05:37 -0400 |
| commit | 0f870b1bcad960fd5319a3f97aafd7f4a289e2fb (patch) | |
| tree | 3f91435fcf5a368d9b0507babd2ea4461e487d8c /doc/admin | |
| parent | fabbf11f457a84904a5fa251584fd660a52fa583 (diff) | |
| download | krb5-0f870b1bcad960fd5319a3f97aafd7f4a289e2fb.zip krb5-0f870b1bcad960fd5319a3f97aafd7f4a289e2fb.tar.gz krb5-0f870b1bcad960fd5319a3f97aafd7f4a289e2fb.tar.bz2 | |
PKINIT ECDH support
Add support for elliptic curve key exchange to PKINIT (RFC 5349
section 4). Extend pkinit_dh_min_bits to allow the string values
"P-256", "P-384", and "P-521", using rough finite-field strength
equivalents to rank them relative to the Oakley Diffie-Hellman groups.
When processing TD-DH-PARAMETERS on the client, only accept the three
Oakley groups or the three supported elliptic curve groups.
Previously we accepted any Diffie-Hellman parameters that passed
EVP_PKEY_param_check()/DH_check() and had equal or better bit strength
to the original proposal.
ticket: 9095 (new)
Diffstat (limited to 'doc/admin')
| -rw-r--r-- | doc/admin/conf_files/kdc_conf.rst | 7 | ||||
| -rw-r--r-- | doc/admin/conf_files/krb5_conf.rst | 7 |
2 files changed, 9 insertions, 5 deletions
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst index 74a0a2a..d1de933 100644 --- a/doc/admin/conf_files/kdc_conf.rst +++ b/doc/admin/conf_files/kdc_conf.rst @@ -768,8 +768,11 @@ For information about the syntax of some of these options, see be specified multiple times. **pkinit_dh_min_bits** - Specifies the minimum number of bits the KDC is willing to accept - for a client's Diffie-Hellman key. The default is 2048. + Specifies the minimum strength of Diffie-Hellman group the KDC is + willing to accept for key exchange. Valid values in order of + increasing strength are 1024, 2048, P-256, 4096, P-384, and P-521. + The default is 2048. (P-256, P-384, and P-521 are new in release + 1.22.) **pkinit_allow_upn** Specifies that the KDC is willing to accept client certificates diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst index ecdf917..651e0e7 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -1128,9 +1128,10 @@ PKINIT krb5.conf options option is not recommended. **pkinit_dh_min_bits** - Specifies the size of the Diffie-Hellman key the client will - attempt to use. The acceptable values are 1024, 2048, and 4096. - The default is 2048. + Specifies the group of the Diffie-Hellman key the client will + attempt to use. The acceptable values are 1024, 2048, P-256, + 4096, P-384, and P-521. The default is 2048. (P-256, P-384, and + P-521 are new in release 1.22.) **pkinit_identities** Specifies the location(s) to be used to find the user's X.509 |