Bug 671277

Summary: pkinit-nss doesn't handle TD-DH-PARAMETERS error data correctly
Product: Red Hat Enterprise Linux 5 Reporter: Nalin Dahyabhai <nalin>
Component: pkinit-nssAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED WORKSFORME QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 5.6CC: benl, dpal
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-21 21:46:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 689612    
Bug Blocks:    

Description Nalin Dahyabhai 2011-01-20 23:17:57 UTC
Description of problem:
When the DH parameters offered by the client aren't accepted by the server, the client fails to act properly based on the server-supplied parameters.

Version-Release number of selected component (if applicable):
pkinit-0.7.6-1.el5

How reproducible:
Always

Steps to Reproduce:
1. Configured the KDC to require DH key agreement using primes with a minimum size greater than that of the client's preferred group.
2. kinit
  
Actual results:
Client retries with the original set of parameters.

Expected results:
Client retries with one of the sets of parameters supplied by the KDC.

Additional info:
Hopefully this won't require changes to the preauth plugin backport.  The client can be configured to work around this, but it's a bug all the same.

Comment 1 Nalin Dahyabhai 2011-03-21 21:46:23 UTC
Upon further testing, it appears to be handling the error data just fine.  Errors encountered when the server was configured to require 4096 bits failed due to a hard-coded limit in NSS (filed as bug #689612).