Module Name:	krb5
Committed By:	hartmans
Date:		Wed Jun  9 18:30:02 UTC 2004

Modified Files:
	 krb5/src/lib/gssapi/krb5/ChangeLog
		krb5/src/lib/gssapi/krb5/accept_sec_context.c
Added Files:

Removed Files:


Log Message
Ticket: new
Subject: If channel bindings are supplied to server require them to be matched.

Based on discussion on kerberos@mit.edu, the decision to allow null
channel bindings from a client to match even when server channel
bindings are supplied is flawed.  This decision assumes that we cannot
get server implementations to change even though we are able to deploy
a new Kerberos implementation on the server.  In practice the server
implementations in question have actually changed and so the only part
of revision 1.54 of accept_sec_context.c we actually need is the code
to ignore channel bindings if null channel bindings are passed into
the server.  Thus the change to allow null channel bindings from the
client to match against any channel bindings on the server is backed
out.


To generate a diff of this commit:
	cvs diff -r1.254 -r1.255 krb5/src/lib/gssapi/krb5/ChangeLog
	cvs diff -r1.88 -r1.89
		krb5/src/lib/gssapi/krb5/accept_sec_context.c