SASL_SEC_NONSTD_CBIND can't be enabled?

[flowerysong]

I ran across this while doing some work with the test suite, and I only have a shaky understanding of any of this code so it's possible I'm missing something.

#716 added this security flag which is supposed to allow explicitly enabling channel bindings for the GSSAPI mechanism. However, if I set this flag in the test programs it results in the GSSAPI mechanism being rejected when the library checks to see if it's suitable:

cyrus-sasl/lib/client.c

Lines 808 to 811 in 537af16

	/* Does it meet our security properties? */
	if (((myflags ^ m->m.plug->security_flags) & myflags) != 0) {
	break;
	}

When I tried adding the flag to

cyrus-sasl/plugins/gssapi.c

Lines 2625 to 2629 in 537af16

	SASL_SEC_NOPLAINTEXT
	| SASL_SEC_NOACTIVE
	| SASL_SEC_NOANONYMOUS
	| SASL_SEC_MUTUAL_AUTH
	| SASL_SEC_PASS_CREDENTIALS, /* security_flags */

and

cyrus-sasl/plugins/gssapi.c

Lines 1876 to 1880 in 537af16

	SASL_SEC_NOPLAINTEXT
	| SASL_SEC_NOACTIVE
	| SASL_SEC_NOANONYMOUS
	| SASL_SEC_MUTUAL_AUTH /* security_flags */
	| SASL_SEC_PASS_CREDENTIALS,

so that these checks could pass it appeared to revert to having channel bindings enabled by default. The only way I was able to get the tests working was to explicitly ignore this flag while doing the comparisons (flowerysong@1ba9678), which feels wrong.

[quanah]

hm, #862 ?

[scabrero]

hm, #862 ?

Hi @quanah,

I opened the PR and then found this issue where @flowerysong pointed out that adding the flag to security_flags seems to revert to having channel bindings enabled by default.