lib/gssapi/krb5: implement GSS_C_CHANNEL_BOUND_FLAG for gss_init_sec_context()

This will force KERB_AP_OPTIONS_CBT to be sent.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15621

Signed-off-by: Stefan Metzmacher <metze@samba.org>

tests/gss/check-context.in

@@ -389,6 +389,41 @@ for mech in krb5 spnego; do
 		--mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
 		{ eval "$testfailed"; }
 
+	echo "${mech}: initiator null bindings bound (client-aware-flag)" ; > messages.log
+	${context} -v --i-channel-bound \
+		--mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
+		{ eval "$testfailed"; }
+	grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \
+		{ echo "channel-bound flag unexpected"; eval "$testfailed"; }
+
+	echo "${mech}: initiator only bindings (client-aware-flag)" ; > messages.log
+	${context} -v --i-channel-bound \
+		--i-channel-bindings=abc \
+		--mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
+		{ eval "$testfailed"; }
+	grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null && \
+		{ echo "channel-bound flag unexpected"; eval "$testfailed"; }
+
+	echo "${mech}: acceptor only bindings (client-aware-flag)" ; > messages.log
+	${context} -v --i-channel-bound \
+		--a-channel-bindings=abc \
+		--mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
+		{ eval "$testfailed"; }
+
+	echo "${mech}: matching bindings (client-aware-flag)" ; > messages.log
+	${context} -v --i-channel-bound \
+		--i-channel-bindings=abc --a-channel-bindings=abc \
+		--mech-type=$mech host@lucid.test.h5l.se > cbinding.log || \
+		{ eval "$testfailed"; }
+	grep "sflags:" cbinding.log | grep "channel-bound" > /dev/null || \
+		{ echo "no channel-bound flag"; eval "$testfailed"; }
+
+	echo "${mech}: non matching bindings (client-aware-flag)" ; > messages.log
+	${context} -v --i-channel-bound \
+		--i-channel-bindings=abc --a-channel-bindings=xyz \
+		--mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
+		{ eval "$testfailed"; }
+
 done
 
 #echo "sasl-digest-md5"