lib/gssapi/krb5: implement GSS_C_CHANNEL_BOUND_FLAG for gss_init_sec_context()

This will force KERB_AP_OPTIONS_CBT to be sent. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621 Signed-off-by: Stefan Metzmacher <metze@samba.org>
2024-03-01 13:17:41 +01:00
parent 6b08c05258
commit ba8c3dbc62
6 changed files with 62 additions and 2 deletions
--- a/lib/gssapi/krb5/8003.c
+++ b/lib/gssapi/krb5/8003.c
@@ -87,6 +87,11 @@ _gsskrb5_create_8003_checksum (
 {
    u_char *p;

+#define _GSS_C_NON_8003_WIRE_FLAGS \
+	GSS_C_CHANNEL_BOUND_FLAG
+
+    flags &= ~_GSS_C_NON_8003_WIRE_FLAGS;
+
    /*
     * see rfc1964 (section 1.1.1 (Initial Token), and the checksum value
     * field's format) */
--- a/lib/gssapi/krb5/init_sec_context.c
+++ b/lib/gssapi/krb5/init_sec_context.c
@@ -498,6 +498,7 @@ init_auth_restart
    krb5_data fwd_data, timedata;
    int32_t offset = 0, oldoffset = 0;
    uint32_t flagmask;
+    krb5_boolean channel_bound = FALSE;

    krb5_data_zero(&outbuf);
    krb5_data_zero(&fwd_data);
@@ -587,6 +588,11 @@ init_auth_restart
    }
    flags |= GSS_C_TRANS_FLAG;

+    if (req_flags & GSS_C_CHANNEL_BOUND_FLAG) {
+	flags |= GSS_C_CHANNEL_BOUND_FLAG;
+	channel_bound = TRUE;
+    }
+
    if (ret_flags)
 	*ret_flags = flags;
    ctx->flags = flags;
@@ -626,6 +632,7 @@ init_auth_restart
 				     enctype,
 				     ctx->kcred,
 				     &cksum,
+				     channel_bound,
 				     &authenticator,
 				     KRB5_KU_AP_REQ_AUTH);