From 1ba967884b1d8de0a3ae379f9492256513f6d59c Mon Sep 17 00:00:00 2001
From: Paul Arthur <paul.arthur@flowerysong.com>
Date: Wed, 31 Jul 2024 05:23:54 +0000
Subject: [PATCH] Fix channel binding test

This doesn't feel quite right, but it does work.

Signed-off-by: Paul Arthur <paul.arthur@flowerysong.com>
---
 lib/client.c         | 3 +++
 lib/server.c         | 3 +++
 tests/runtests.py    | 2 +-
 tests/t_gssapi_cli.c | 3 +++
 tests/t_gssapi_srv.c | 3 +++
 5 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/lib/client.c b/lib/client.c
index e778463b..ece8fe66 100644
--- a/lib/client.c
+++ b/lib/client.c
@@ -797,6 +797,9 @@ int sasl_client_start(sasl_conn_t *conn,
 
 	    myflags = conn->props.security_flags;
 
+	    /* not a real security flag */
+	    myflags &= ~SASL_SEC_NONSTD_CBIND;
+
 	    /* if there's an external layer with a better SSF then this is no
 	     * longer considered a plaintext mechanism
 	     */
diff --git a/lib/server.c b/lib/server.c
index b44155f4..fe66128e 100644
--- a/lib/server.c
+++ b/lib/server.c
@@ -1315,6 +1315,9 @@ static int mech_permitted(sasl_conn_t *conn,
     /* special case plaintext */
     myflags = conn->props.security_flags;
 
+    /* not a real security flag */
+    myflags &= ~SASL_SEC_NONSTD_CBIND;
+
     /* if there's an external layer this is no longer plaintext */
     if ((conn->props.min_ssf <= conn->external.ssf) && 
 	(conn->external.ssf > 1)) {
diff --git a/tests/runtests.py b/tests/runtests.py
index 97f1688c..66d43c1a 100755
--- a/tests/runtests.py
+++ b/tests/runtests.py
@@ -406,7 +406,7 @@ def gssapi_tests(testdir):
     print('    ', end='')
     err += gssapi_channel_binding_test(kenv)
 
-    print('GSSAPI CHANNEL BINDING MISMTACH:')
+    print('GSSAPI CHANNEL BINDING MISMATCH:')
     print('    ', end='')
     err += gssapi_channel_binding_mismatch_test(kenv)
 
diff --git a/tests/t_gssapi_cli.c b/tests/t_gssapi_cli.c
index 1af45cb7..2e464058 100644
--- a/tests/t_gssapi_cli.c
+++ b/tests/t_gssapi_cli.c
@@ -163,6 +163,9 @@ int main(int argc, char *argv[])
 
     if (cb.name) {
         sasl_setprop(conn, SASL_CHANNEL_BINDING, &cb);
+        sasl_security_properties_t secprops = { 0 };
+        secprops.security_flags = SASL_SEC_NONSTD_CBIND;
+        sasl_setprop(conn, SASL_SEC_PROPS, &secprops);
     }
 
     if (spnego) {
diff --git a/tests/t_gssapi_srv.c b/tests/t_gssapi_srv.c
index 2524c8b0..934ec55f 100644
--- a/tests/t_gssapi_srv.c
+++ b/tests/t_gssapi_srv.c
@@ -166,6 +166,9 @@ int main(int argc, char *argv[])
 
     if (cb.name) {
         sasl_setprop(conn, SASL_CHANNEL_BINDING, &cb);
+        sasl_security_properties_t secprops = { 0 };
+        secprops.security_flags = SASL_SEC_NONSTD_CBIND;
+        sasl_setprop(conn, SASL_SEC_PROPS, &secprops);
     }
 
     if (plain) {