`SASL_SEC_NONSTD_CBIND` can't be enabled?

I ran across this while doing some work with the test suite, and I only have a shaky understanding of any of this code so it's possible I'm missing something.

#716 added this security flag which is supposed to allow explicitly enabling channel bindings for the GSSAPI mechanism. However, if I set this flag in the test programs it results in the GSSAPI mechanism being rejected when the library checks to see if it's suitable: https://github.com/cyrusimap/cyrus-sasl/blob/537af16986caff73ef45ab54a5a020bfb636ddaf/lib/client.c#L808-L811

When I tried adding the flag to https://github.com/cyrusimap/cyrus-sasl/blob/537af16986caff73ef45ab54a5a020bfb636ddaf/plugins/gssapi.c#L2625-L2629 and https://github.com/cyrusimap/cyrus-sasl/blob/537af16986caff73ef45ab54a5a020bfb636ddaf/plugins/gssapi.c#L1876-L1880 so that these checks could pass it appeared to revert to having channel bindings enabled by default. The only way I was able to get the tests working was to explicitly ignore this flag while doing the comparisons (https://github.com/flowerysong/cyrus-sasl/commit/1ba967884b1d8de0a3ae379f9492256513f6d59c), which feels wrong.

	SASL_SEC_NOPLAINTEXT
	\| SASL_SEC_NOACTIVE
	\| SASL_SEC_NOANONYMOUS
	\| SASL_SEC_MUTUAL_AUTH
	\| SASL_SEC_PASS_CREDENTIALS, /* security_flags */

	SASL_SEC_NOPLAINTEXT
	\| SASL_SEC_NOACTIVE
	\| SASL_SEC_NOANONYMOUS
	\| SASL_SEC_MUTUAL_AUTH /* security_flags */
	\| SASL_SEC_PASS_CREDENTIALS,

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

`SASL_SEC_NONSTD_CBIND` can't be enabled? #853

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	/* Does it meet our security properties? */
	if (((myflags ^ m->m.plug->security_flags) & myflags) != 0) {
	break;
	}

SASL_SEC_NONSTD_CBIND can't be enabled? #853

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

`SASL_SEC_NONSTD_CBIND` can't be enabled? #853