From 8330e45444f09c9caeace437ca12efdeafd1cbe4 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Fri, 6 Aug 2021 13:21:07 +1000
Subject: [PATCH] gss: set GSS_C_CHANNEL_BOUND_FLAG for SAnon

SAnon includes channel bindings as part of the key derivation function, so they
cannot be ignored. Always set GSS_C_CHANNEL_BOUND_FLAG in the SAnon acceptor.
---
 lib/gssapi/sanon/accept_sec_context.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/gssapi/sanon/accept_sec_context.c b/lib/gssapi/sanon/accept_sec_context.c
index f31c974ee..72cbe09b0 100644
--- a/lib/gssapi/sanon/accept_sec_context.c
+++ b/lib/gssapi/sanon/accept_sec_context.c
@@ -117,7 +117,8 @@ _gss_sanon_accept_sec_context(OM_uint32 *minor,
     req_flags &= SANON_PROTOCOL_FLAG_MASK;
 
     req_flags |= GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
-		 GSS_C_INTEG_FLAG | GSS_C_ANON_FLAG | GSS_C_TRANS_FLAG;
+		 GSS_C_INTEG_FLAG | GSS_C_ANON_FLAG | GSS_C_TRANS_FLAG |
+		 GSS_C_CHANNEL_BOUND_FLAG; /* CB part of KDF, so always validated */
 
     major = _gss_sanon_import_rfc4121_context(minor, sc, req_flags, &session_key);
     if (major != GSS_S_COMPLETE)