[krbdev.mit.edu #7933] pkinit_win2k_require_binding behavior does not match documentation
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Fri Jun 6 18:12:19 EDT 2014
The documentation for pkinit_win2k_require_binding states:
If this flag is set to true, it expects that the target KDC is
patched to return a reply with a checksum rather than a nonce.
The default is false.
The actual behavior is:
1. If pkinit_win2k_require_binding is set, then when generating a draft9
request, generate additional empty KRB5_PADATA_AS_CHECKSUM pa-data.
This instructs patched Active Directory KDCs to generate an RFC 4556
ReplyKeyPack with checksum, instead of a draft 9 ReplyKeyPack with
nonce.
2. Always accept a draft 9 ReplyKeyPack in a draft9 response.
We could change the documentation, but I think it's more useful to
change the code behavior. We should always generate
KRB5_PADATA_AS_CHECKSUM pa-data when generating a draft9 request, and
should only accept a draft9 ReplyKeyPack if the variable is false. We
should also consider changing the default value from false to true.
There is some additional conditionalization around the longhorn variable
which isn't really important. (I am pretty sure that we can safely
remove the longhorn variable at this point.)
All of this applies only to RSA, not DH.
More information about the krb5-bugs
mailing list