Current semantics for channel-bindings in GSSAPI
Isaac Boukris
iboukris at gmail.com
Mon Mar 2 09:12:28 EST 2020
On Fri, Feb 28, 2020 at 6:00 PM Greg Hudson <ghudson at mit.edu> wrote:
>
> On 2/27/20 8:27 PM, Isaac Boukris wrote:
> > Following the discussion on IRC, there is currently a difference in
> > between Heimdal and MIT, when the client does not send bindings, and
> > the server does pass bindings to accept(), in MIT it fails, in Heimdal
> > it succeeds.
>
> There are a few reasons why I think Heimdal's behavior is better:
Taking a closer look at MIT accept() code, it looks like there is a
case where no checksum is provided at all, where MIT would skip
channel-bindings even if the server provided ones. It sounds like
Windows also supports this.
https://github.com/krb5/krb5/blob/2b1acc07a267782a7f4c9644da78587cc29b6f56/src/lib/gssapi/krb5/accept_sec_context.c#L659
More information about the krbdev
mailing list