gssapi: add channel-bound return flag

In gss_accept_sec_context, return a new flag to let
the caller know that bindings were provided and verified.

lib/gssapi/gssapi/gssapi.h

@@ -174,6 +174,7 @@ typedef OM_uint32 gss_qop_t;
 #define GSS_C_PROT_READY_FLAG 128
 #define GSS_C_TRANS_FLAG 256
 
+#define GSS_C_CHANNEL_BOUND_FLAG 2048
 #define GSS_C_DCE_STYLE 4096
 #define GSS_C_IDENTIFY_FLAG 8192
 #define GSS_C_EXTENDED_ERROR_FLAG 16384

lib/gssapi/krb5/8003.c

@@ -181,6 +181,7 @@ _gsskrb5_verify_8003_checksum(
     OM_uint32 length;
     int DlgOpt;
     static unsigned char zeros[16];
+    krb5_boolean channel_bound = FALSE;
 
     /* XXX should handle checksums > 24 bytes */
     if(cksum->cksumtype != CKSUMTYPE_GSSAPI || cksum->checksum.length < 24) {
@@ -207,6 +208,7 @@ _gsskrb5_verify_8003_checksum(
 	    *minor_status = 0;
 	    return GSS_S_BAD_BINDINGS;
 	}
+	channel_bound = TRUE;
     }
 
     p += sizeof(hash);
@@ -241,5 +243,11 @@ _gsskrb5_verify_8003_checksum(
 	memcpy(fwd_data->data, p, fwd_data->length);
     }
 
+    if (channel_bound) {
+	*flags |= GSS_C_CHANNEL_BOUND_FLAG;
+    } else {
+	*flags &= ~GSS_C_CHANNEL_BOUND_FLAG;
+    }
+
     return GSS_S_COMPLETE;
 }