diff options
| author | Stefan Metzmacher <metze@samba.org> | 2024-03-01 14:23:47 +0100 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2024-05-06 17:40:31 -0400 |
| commit | 6b74b6c18feab1f3d72d00ae412a93c6bfa4a00a (patch) | |
| tree | 0aaf2d8be6557c8de905758c7df2eea858113c9f /src/include/k5-int.h | |
| parent | 0a3acc20564e82ba33741248cf25ca4d085d777f (diff) | |
| download | krb5-6b74b6c18feab1f3d72d00ae412a93c6bfa4a00a.zip krb5-6b74b6c18feab1f3d72d00ae412a93c6bfa4a00a.tar.gz krb5-6b74b6c18feab1f3d72d00ae412a93c6bfa4a00a.tar.bz2 | |
Add GSS flag to include KERB_AP_OPTIONS_CBT
The Microsoft KERB_AP_OPTIONS_CBT extension (defined in [MS-KILE]
3.2.5.8) allows the client to request strict enforcement of GSS
channel bindings. Client support for this extension was added in
commit 225e6ef7f021cd1a8ef2a054af0ca58b7288fd81 (ticket 8900) but it
requires a configuration variable to be set. The choice to include
the extension should be made by the client application code, as it is
a promise to include channel bindings when operating within TLS.
In libkrb5, add an option AP_OPTS_CBT_FLAG to make
krb5_mk_req[_extended]() include KERB_AP_OPTIONS_CBT. In the GSS
initiator code, set this flag when the GSS_C_CHANNEL_BOUND flag is
included in the request options. GSS_C_CHANNEL_BOUND was introduced
in commit 429a31146083fac21958631c2af572b08ec91022 (ticket 8899) as an
acceptor output flag.
[ghudson@mit.edu: rewrote commit message; adjusted some names;
simplified GSS initiator bookkeeping; added documentation]
ticket: 9122 (new)
Diffstat (limited to 'src/include/k5-int.h')
0 files changed, 0 insertions, 0 deletions