Include empty PKINIT-KX padata

rfc6112 requires kdcs implementing anonymous PKINIT to include an empty PKINIT-KX padata in PREAUTH_REQUIRED messages. Including this improves compatibility with MIT kerberos.
2014-07-02 20:49:16 -04:00
parent 5f2a93f5ca
commit bf7f31ee09
1 changed files with 5 additions and 0 deletions
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -717,9 +717,14 @@ static const struct kdc_patypes pat[] = {
 	KRB5_PADATA_PK_AS_REQ_WIN, "PK-INIT(win2k)", PA_ANNOUNCE,
 	pa_pkinit_validate
    },
+    {
+	KRB5_PADATA_PKINIT_KX, "Anonymous PK-INIT", PA_ANNOUNCE,
+	NULL
+    },
 #else
    { KRB5_PADATA_PK_AS_REQ, "PK-INIT(ietf)", 0, NULL },
    { KRB5_PADATA_PK_AS_REQ_WIN, "PK-INIT(win2k)", 0, NULL },
+    { KRB5_PADATA_PKINIT_KX, "Anonymous PK-INIT", 0, NULL },
 #endif
    { KRB5_PADATA_PA_PK_OCSP_RESPONSE , "OCSP", 0, NULL },
    {