Merge branch 'jake/channel-bindings' into dev

Interface support for channel bindings

Author: jake-scott

examples/go/gss-client/gss-client

@@ -3,11 +3,11 @@ package gssapi
 
 import "net"
 
-type gssAddressFamily int
+type GssAddressFamily int
 
 const (
-	GssAddrFamilyUNSPEC gssAddressFamily = 0
-	GssAddrFamilyLOCAL  gssAddressFamily = 1 << iota
+	GssAddrFamilyUNSPEC GssAddressFamily = 0
+	GssAddrFamilyLOCAL  GssAddressFamily = 1 << iota
 	GssAddrFamilyINET
 	GssAddrFamilyIMPLINK
 	GssAddrFamilyPUP

examples/testvectors/rack.kt

@@ -14,6 +14,14 @@ const (
 	ContextFlagConf                             // confidentiality available
 	ContextFlagInteg                            // integrity available
 	ContextFlagAnon                             // do not transfer initiator identity to acceptor
+
+	// extensions
+	ContextFlagChannelBound = 0x800 // require channel bindings
+
+	// Microsoft extensions - see RFC 4757 § 7.1
+	ContextFlagDceStyle      = 0x1000 // add extra AP-REP from client to server after receiving server's AP-REP
+	ContextFlagIdentify      = 0x2000 // server should identify the client but not impersonate it
+	ContextFlagExtendedError = 0x4000 // return Windows status code in Kerberos error messages
 )
 
 // FlagList returns a slice of individual flags derived from the
@@ -48,6 +56,14 @@ func FlagName(f ContextFlag) string {
 		return "Integrity"
 	case ContextFlagAnon:
 		return "Anonymous"
+	case ContextFlagChannelBound:
+		return "Channel Bindings"
+	case ContextFlagDceStyle:
+		return "DCE style"
+	case ContextFlagIdentify:
+		return "Identify only"
+	case ContextFlagExtendedError:
+		return "Extended errors"
 	}
 
 	return "Unknown"

examples/testvectors/robot.cc

@@ -43,10 +43,11 @@ func NewProvider(name string) Provider {
 type QoP uint
 
 type InitSecContextOptions struct {
-	Credential Credential
-	Mech       GssMech
-	Flags      ContextFlag
-	Lifetime   time.Duration
+	Credential     Credential
+	Mech           GssMech
+	Flags          ContextFlag
+	Lifetime       time.Duration
+	ChannelBinding *ChannelBinding
 }
 
 type InitSecContextOption func(o *InitSecContextOptions)
@@ -75,6 +76,12 @@ func WithInitiatorLifetime(life time.Duration) InitSecContextOption {
 	}
 }
 
+func WithChannelBinding(cb *ChannelBinding) InitSecContextOption {
+	return func(o *InitSecContextOptions) {
+		o.ChannelBinding = cb
+	}
+}
+
 // Provider is the interface that defines the top level GSSAPI functions that
 // create name, credential and security contexts
 type Provider interface {
@@ -125,7 +132,7 @@ type Provider interface {
 	//
 	//   A partially established context may allow the creation of protected messages.
 	//   Check the [SecContextInfo.ProtectionReady] flag by calling [SecContext.Inquire()].
-	AcceptSecContext(cred Credential, inputToken []byte) (SecContext, []byte, error) // RFC 2743 § 2.2.2
+	AcceptSecContext(cred Credential, inputToken []byte, cb *ChannelBinding) (SecContext, []byte, error) // RFC 2743 § 2.2.2
 
 	// ImportSecContext corresponds to the GSS_Import_sec_context function from RFC 2743 § 2.2.9
 	// Parameters: