[20035] in Kerberos_V5_Development
Current semantics for channel-bindings in GSSAPI
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Thu Feb 27 20:28:02 2020
MIME-Version: 1.0
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 28 Feb 2020 02:27:32 +0100
Message-ID: <CAC-fF8QdP9vRMMfxsxHL-APvsTRwdktbeiR0HrqjxYAE_To4Xg@mail.gmail.com>
To: "krbdev@mit.edu Dev List" <krbdev@mit.edu>, Simo Sorce <simo@redhat.com>,
Nico Williams <nico@cryptonector.com>, Greg Hudson <ghudson@mit.edu>,
Stefan Metzmacher <metze@samba.org>, rharwood@redhat.com,
Andrew Bartlett <abartlet@samba.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Hi Greg, all
Following the discussion on IRC, there is currently a difference in
between Heimdal and MIT, when the client does not send bindings, and
the server does pass bindings to accept(), in MIT it fails, in Heimdal
it succeeds.
In Windows, there is a three option flag:
LdapEnforceChannelBindings=0 - not enforced at all.
LdapEnforceChannelBindings=1 - enforced on supporting clients
(bindings not zeroes, and that ad-element).
LdapEnforceChannelBindings=2 - enforced for all clients.
To my understanding, we can implement LdapEnforceChannelBindings=2 in
MIT and LdapEnforceChannelBindings=1 in Heimdal by passing the
bindings to accept(), but not vise versa.
In my opinion MIT behavior is correct, allowing to enforce
channel-binding indeed, and I think we should consider the same in
Heimdal.
Nevertheless, we need a way to implement both option. The only way I
can think how to currently implement LdapEnforceChannelBindings=1 in
MIT is to call accept() twice and hope not to get replay-errors.
Thoughts?
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
