diff options
author | Stefan Metzmacher <metze@samba.org> | 2024-03-01 14:23:47 +0100 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2024-05-06 17:40:31 -0400 |
commit | 6b74b6c18feab1f3d72d00ae412a93c6bfa4a00a (patch) | |
tree | 0aaf2d8be6557c8de905758c7df2eea858113c9f /doc/appdev/gssapi.rst | |
parent | 0a3acc20564e82ba33741248cf25ca4d085d777f (diff) | |
download | krb5-6b74b6c18feab1f3d72d00ae412a93c6bfa4a00a.zip krb5-6b74b6c18feab1f3d72d00ae412a93c6bfa4a00a.tar.gz krb5-6b74b6c18feab1f3d72d00ae412a93c6bfa4a00a.tar.bz2 |
Add GSS flag to include KERB_AP_OPTIONS_CBT
The Microsoft KERB_AP_OPTIONS_CBT extension (defined in [MS-KILE]
3.2.5.8) allows the client to request strict enforcement of GSS
channel bindings. Client support for this extension was added in
commit 225e6ef7f021cd1a8ef2a054af0ca58b7288fd81 (ticket 8900) but it
requires a configuration variable to be set. The choice to include
the extension should be made by the client application code, as it is
a promise to include channel bindings when operating within TLS.
In libkrb5, add an option AP_OPTS_CBT_FLAG to make
krb5_mk_req[_extended]() include KERB_AP_OPTIONS_CBT. In the GSS
initiator code, set this flag when the GSS_C_CHANNEL_BOUND flag is
included in the request options. GSS_C_CHANNEL_BOUND was introduced
in commit 429a31146083fac21958631c2af572b08ec91022 (ticket 8899) as an
acceptor output flag.
[ghudson@mit.edu: rewrote commit message; adjusted some names;
simplified GSS initiator bookkeeping; added documentation]
ticket: 9122 (new)
Diffstat (limited to 'doc/appdev/gssapi.rst')
-rw-r--r-- | doc/appdev/gssapi.rst | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/doc/appdev/gssapi.rst b/doc/appdev/gssapi.rst index 339fd6c..b58f412 100644 --- a/doc/appdev/gssapi.rst +++ b/doc/appdev/gssapi.rst @@ -424,6 +424,42 @@ set. If the library does not support the query, gss_inquire_cred_by_oid will return **GSS_S_UNAVAILABLE**. +Channel binding behavior and GSS_C_CHANNEL_BOUND_FLAG +----------------------------------------------------- + +GSSAPI channel bindings can be used to limit the scope of a context +establishment token to a particular protected channel or endpoint, +such as a TLS channel or server certificate. Channel bindings can be +supplied via the *input_chan_bindings* parameter to either +gss_init_sec_context() or gss_accept_sec_context(). + +If both the initiator and acceptor of a GSSAPI exchange supply +matching channel bindings, **GSS_C_CHANNEL_BOUND_FLAG** will be +included in the gss_accept_sec_context() *ret_flags* result. If +either the initiator or acceptor (or both) do not supply channel +bindings, the exchange will succeed, but **GSS_C_CHANNEL_BOUND_FLAG** +will not be included in the return flags. If the acceptor and +initiator both inlude channel bindings but they do not match, the +exchange will fail. + +If **GSS_C_CHANNEL_BOUND_FLAG** is included in the *req_flags* +parameter of gss_init_sec_context(), the initiator will add the +Microsoft KERB_AP_OPTIONS_CBT extension to the Kerberos authenticator. +This extension requests that the acceptor strictly enforce channel +bindings, causing the exchange to fail if the acceptor supplies +channel bindings and the initiator does not. The KERB_AP_OPTIONS_CBT +extension will also be included if the +**client_aware_channel_bindings** variable is set to ``true`` in +:ref:`libdefaults`. + +Prior to release 1.19, **GSS_C_CHANNEL_BOUND_FLAG** is not +implemented, and the exchange will fail if the acceptor supply channel +bindings and the initiator does not (but not vice versa). Between +releases 1.19 and 1.21, **GSS_C_CHANNEL_BOUND_FLAG** is not recognized +as an initiator flag, so **client_aware_channel_bindings** is the only +way to cause KERB_AP_OPTIONS_CBT to be included. + + AEAD message wrapping --------------------- |