gss: set GSS_C_CHANNEL_BOUND_FLAG for SAnon

SAnon includes channel bindings as part of the key derivation function, so they cannot be ignored. Always set GSS_C_CHANNEL_BOUND_FLAG in the SAnon acceptor.
2021-08-06 13:21:07 +10:00
parent d83321fdf3
commit 8330e45444
1 changed files with 2 additions and 1 deletions
--- a/lib/gssapi/sanon/accept_sec_context.c
+++ b/lib/gssapi/sanon/accept_sec_context.c
@@ -117,7 +117,8 @@ _gss_sanon_accept_sec_context(OM_uint32 *minor,
    req_flags &= SANON_PROTOCOL_FLAG_MASK;

    req_flags |= GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
-		 GSS_C_INTEG_FLAG | GSS_C_ANON_FLAG | GSS_C_TRANS_FLAG;
+		 GSS_C_INTEG_FLAG | GSS_C_ANON_FLAG | GSS_C_TRANS_FLAG |
+		 GSS_C_CHANNEL_BOUND_FLAG; /* CB part of KDF, so always validated */

    major = _gss_sanon_import_rfc4121_context(minor, sc, req_flags, &session_key);
    if (major != GSS_S_COMPLETE)