git.ipfire.org Git - thirdparty/krb5.git/commit

author	Stefan Metzmacher <metze@samba.org>
	Fri, 1 Mar 2024 13:23:47 +0000 (14:23 +0100)
committer	Greg Hudson <ghudson@mit.edu>
	Mon, 6 May 2024 21:40:31 +0000 (17:40 -0400)
commit	6b74b6c18feab1f3d72d00ae412a93c6bfa4a00a
tree	0aaf2d8be6557c8de905758c7df2eea858113c9f	tree
parent	0a3acc20564e82ba33741248cf25ca4d085d777f	commit \| diff

Add GSS flag to include KERB_AP_OPTIONS_CBT

The Microsoft KERB_AP_OPTIONS_CBT extension (defined in [MS-KILE]
3.2.5.8) allows the client to request strict enforcement of GSS
channel bindings.  Client support for this extension was added in
commit 225e6ef7f021cd1a8ef2a054af0ca58b7288fd81 (ticket 8900) but it
requires a configuration variable to be set.  The choice to include
the extension should be made by the client application code, as it is
a promise to include channel bindings when operating within TLS.

In libkrb5, add an option AP_OPTS_CBT_FLAG to make
krb5_mk_req[_extended]() include KERB_AP_OPTIONS_CBT.  In the GSS
initiator code, set this flag when the GSS_C_CHANNEL_BOUND flag is
included in the request options.  GSS_C_CHANNEL_BOUND was introduced
in commit 429a31146083fac21958631c2af572b08ec91022 (ticket 8899) as an
acceptor output flag.

[ghudson@mit.edu: rewrote commit message; adjusted some names;
simplified GSS initiator bookkeeping; added documentation]

ticket: 9122 (new)

doc/appdev/gssapi.rst		diff \| blob \| blame \| history
doc/appdev/refs/macros/index.rst		diff \| blob \| blame \| history
src/include/krb5/krb5.hin		diff \| blob \| blame \| history
src/lib/gssapi/krb5/init_sec_context.c		diff \| blob \| blame \| history
src/lib/krb5/krb/mk_req_ext.c		diff \| blob \| blame \| history
src/tests/gssapi/t_bindings.c		diff \| blob \| blame \| history
src/tests/gssapi/t_bindings.py		diff \| blob \| blame \| history