[20044] in Kerberos_V5_Development


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Current semantics for channel-bindings in GSSAPI

daemon@ATHENA.MIT.EDU (Isaac Boukris)
Mon Mar 2 09:13:07 2020

MIME-Version: 1.0
In-Reply-To: <18cdd00f-f939-3d4b-1ef8-588af3a097fe@mit.edu>
From: Isaac Boukris <iboukris@gmail.com>
Date: Mon, 2 Mar 2020 15:12:28 +0100
Message-ID: <CAC-fF8Rrh+L-WiohT3hWbBaJQnV9Hv756MEFcJobDapchn9P=Q@mail.gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: "krbdev@mit.edu Dev List" <krbdev@mit.edu>, Simo Sorce <simo@redhat.com>,
        Nico Williams <nico@cryptonector.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

On Fri, Feb 28, 2020 at 6:00 PM Greg Hudson <ghudson@mit.edu> wrote:
>
> On 2/27/20 8:27 PM, Isaac Boukris wrote:
> > Following the discussion on  IRC, there is currently a difference in
> > between Heimdal and MIT, when the client does not send bindings, and
> > the server does pass bindings to accept(), in MIT it fails, in Heimdal
> > it succeeds.
>
> There are a few reasons why I think Heimdal's behavior is better:

Taking a closer look at MIT accept() code, it looks like there is a
case where no checksum is provided at all, where MIT would skip
channel-bindings even if the server provided ones. It sounds like
Windows also supports this.

https://github.com/krb5/krb5/blob/2b1acc07a267782a7f4c9644da78587cc29b6f56/src/lib/gssapi/krb5/accept_sec_context.c#L659
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[20044] in Kerberos_V5_Development

Re: Current semantics for channel-bindings in GSSAPI

daemon@ATHENA.MIT.EDU (Isaac Boukris)Mon Mar 2 09:13:07 2020

daemon@ATHENA.MIT.EDU (Isaac Boukris)
Mon Mar 2 09:13:07 2020