From e6a1138bcea6e357cc44a66b493f7ce24b5b65d4 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Fri, 6 Sep 2024 17:27:33 +0200
Subject: [PATCH] Allow SASL_SEC_NONSTD_CBIND flag in GSSAPI and GSS-SPNEGO

Commit 8735185e9d5550e0f11e1ce4b77e391a16e4145b introduced this new
flag to enable channel bindings on mechs not supposed to support them,
but setting it results in an empty mech list due to plugin's
security_flags check in sasl_client_start().

Allow this flag in GSSAPI and GSS-SPNEGO plugins.

Signed-off-by: Samuel Cabrero <scabrero@suse.de>
---
 lib/client.c     | 7 ++++++-
 plugins/gssapi.c | 2 ++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/lib/client.c b/lib/client.c
index e778463b..71cc3790 100644
--- a/lib/client.c
+++ b/lib/client.c
@@ -168,6 +168,8 @@ static int mech_compare(const sasl_client_plug_t *a,
     if (sec_diff & b->security_flags & SASL_SEC_NODICTIONARY) return -1;
     if (sec_diff & a->security_flags & SASL_SEC_FORWARD_SECRECY) return 1;
     if (sec_diff & b->security_flags & SASL_SEC_FORWARD_SECRECY) return -1;
+    if (sec_diff & a->security_flags & SASL_SEC_NONSTD_CBIND) return 1;
+    if (sec_diff & b->security_flags & SASL_SEC_NONSTD_CBIND) return -1;
 
     features_diff = a->features ^ b->features;
     if (features_diff & a->features & SASL_FEAT_CHANNEL_BINDING) return 1;
@@ -1216,7 +1218,10 @@ _sasl_print_mechanism (
 	    delimiter = '|';
 	}
 
-
+	if (m->plug->security_flags & SASL_SEC_NONSTD_CBIND) {
+	    printf ("%cNONSTD_CBIND", delimiter);
+	    delimiter = '|';
+	}
 
 	printf ("\n\tfeatures:");
 	
diff --git a/plugins/gssapi.c b/plugins/gssapi.c
index 630ad691..082cbd7e 100644
--- a/plugins/gssapi.c
+++ b/plugins/gssapi.c
@@ -2626,6 +2626,7 @@ static sasl_client_plug_t gssapi_client_plugins[] =
 	| SASL_SEC_NOACTIVE
 	| SASL_SEC_NOANONYMOUS
 	| SASL_SEC_MUTUAL_AUTH 
+	| SASL_SEC_NONSTD_CBIND
 	| SASL_SEC_PASS_CREDENTIALS,    /* security_flags */
 	SASL_FEAT_NEEDSERVERFQDN
 	| SASL_FEAT_WANT_CLIENT_FIRST
@@ -2649,6 +2650,7 @@ static sasl_client_plug_t gssapi_client_plugins[] =
 	| SASL_SEC_NOACTIVE
 	| SASL_SEC_NOANONYMOUS
 	| SASL_SEC_MUTUAL_AUTH 
+	| SASL_SEC_NONSTD_CBIND
 	| SASL_SEC_PASS_CREDENTIALS,    /* security_flags */
 	SASL_FEAT_NEEDSERVERFQDN
 	| SASL_FEAT_WANT_CLIENT_FIRST