quanah
commented
2 months ago hm, #862 ?
Open flowerysong opened 4 months ago
quanah
commented
2 months ago hm, #862 ?
scabrero
commented
2 months ago hm, #862 ?
Hi @quanah,
I opened the PR and then found this issue where @flowerysong pointed out that adding the flag to security_flags seems to revert to having channel bindings enabled by default.
I ran across this while doing some work with the test suite, and I only have a shaky understanding of any of this code so it's possible I'm missing something.
716 added this security flag which is supposed to allow explicitly enabling channel bindings for the GSSAPI mechanism. However, if I set this flag in the test programs it results in the GSSAPI mechanism being rejected when the library checks to see if it's suitable: https://github.com/cyrusimap/cyrus-sasl/blob/537af16986caff73ef45ab54a5a020bfb636ddaf/lib/client.c#L808-L811
When I tried adding the flag to https://github.com/cyrusimap/cyrus-sasl/blob/537af16986caff73ef45ab54a5a020bfb636ddaf/plugins/gssapi.c#L2625-L2629 and https://github.com/cyrusimap/cyrus-sasl/blob/537af16986caff73ef45ab54a5a020bfb636ddaf/plugins/gssapi.c#L1876-L1880 so that these checks could pass it appeared to revert to having channel bindings enabled by default. The only way I was able to get the tests working was to explicitly ignore this flag while doing the comparisons (https://github.com/flowerysong/cyrus-sasl/commit/1ba967884b1d8de0a3ae379f9492256513f6d59c), which feels wrong.