Implement KERB_AP_OPTIONS_CBT (server side)

if the client asserted knowledge of channel-bindings by passing KERB_AP_OPTIONS_CBT, and the server passed bindings, require the bindings to match.
2020-04-21 20:12:21 +02:00
parent 51ce4c8d15
commit a4527a28a3
6 changed files with 65 additions and 4 deletions
--- a/lib/krb5/krb5_locl.h
+++ b/lib/krb5/krb5_locl.h
@@ -391,4 +391,7 @@ struct krb5_pk_init_ctx_data {
 # define ISPATHSEP(x) (x == '/')
 #endif

+/* Flag in KRB5_AUTHDATA_AP_OPTIONS */
+#define KERB_AP_OPTIONS_CBT 0x00004000
+
 #endif /* __KRB5_LOCL_H__ */
--- a/lib/krb5/libkrb5-exports.def.in
+++ b/lib/krb5/libkrb5-exports.def.in
@@ -788,6 +788,7 @@ EXPORTS
 	_krb5_kt_client_default_name
 	_krb5_have_debug
 	_krb5_SP800_108_HMAC_KDF
+	_krb5_get_ad

 	; Shared with libkadm5
 	_krb5_load_plugins
--- a/lib/krb5/version-script.map
+++ b/lib/krb5/version-script.map
@@ -780,6 +780,7 @@ HEIMDAL_KRB5_2.0 {
 		_krb5_kt_client_default_name;
 		_krb5_have_debug;
 		_krb5_SP800_108_HMAC_KDF;
+		_krb5_get_ad;

 		# Shared with libkadm5
 		_krb5_load_plugins;