diff options
author | Stefan Metzmacher <metze@samba.org> | 2024-03-01 14:23:47 +0100 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2024-05-06 17:40:31 -0400 |
commit | 6b74b6c18feab1f3d72d00ae412a93c6bfa4a00a (patch) | |
tree | 0aaf2d8be6557c8de905758c7df2eea858113c9f /src/include/krb5/krb5.hin | |
parent | 0a3acc20564e82ba33741248cf25ca4d085d777f (diff) | |
download | krb5-6b74b6c18feab1f3d72d00ae412a93c6bfa4a00a.zip krb5-6b74b6c18feab1f3d72d00ae412a93c6bfa4a00a.tar.gz krb5-6b74b6c18feab1f3d72d00ae412a93c6bfa4a00a.tar.bz2 |
Add GSS flag to include KERB_AP_OPTIONS_CBT
The Microsoft KERB_AP_OPTIONS_CBT extension (defined in [MS-KILE]
3.2.5.8) allows the client to request strict enforcement of GSS
channel bindings. Client support for this extension was added in
commit 225e6ef7f021cd1a8ef2a054af0ca58b7288fd81 (ticket 8900) but it
requires a configuration variable to be set. The choice to include
the extension should be made by the client application code, as it is
a promise to include channel bindings when operating within TLS.
In libkrb5, add an option AP_OPTS_CBT_FLAG to make
krb5_mk_req[_extended]() include KERB_AP_OPTIONS_CBT. In the GSS
initiator code, set this flag when the GSS_C_CHANNEL_BOUND flag is
included in the request options. GSS_C_CHANNEL_BOUND was introduced
in commit 429a31146083fac21958631c2af572b08ec91022 (ticket 8899) as an
acceptor output flag.
[ghudson@mit.edu: rewrote commit message; adjusted some names;
simplified GSS initiator bookkeeping; added documentation]
ticket: 9122 (new)
Diffstat (limited to 'src/include/krb5/krb5.hin')
-rw-r--r-- | src/include/krb5/krb5.hin | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index 4e09ed3..7496383 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -1658,6 +1658,7 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, #define AP_OPTS_USE_SESSION_KEY 0x40000000 /**< Use session key */ #define AP_OPTS_MUTUAL_REQUIRED 0x20000000 /**< Perform a mutual authentication exchange */ +#define AP_OPTS_CBT_FLAG 0x00000004 /* include KERB_AP_OPTIONS_CBT */ #define AP_OPTS_ETYPE_NEGOTIATION 0x00000002 #define AP_OPTS_USE_SUBKEY 0x00000001 /**< Generate a subsession key from the current session key @@ -1689,7 +1690,6 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, /* #define AP_OPTS_RESERVED 0x00000020 */ /* #define AP_OPTS_RESERVED 0x00000010 */ /* #define AP_OPTS_RESERVED 0x00000008 */ -/* #define AP_OPTS_RESERVED 0x00000004 */ #define AP_OPTS_WIRE_MASK 0xfffffff0 |