gss: mask out SAnon req_flags after computing session key

In SAnon, the optional flags send in the initial context token are input into
the key derivation function. Mask out the flags we wish to ignore after (not
before) calling the key derivation function, as the initiator may not know
which flags we wish to ignore.

diff --git a/lib/gssapi/sanon/accept_sec_context.c b/lib/gssapi/sanon/accept_sec_context.c
index 51ba51a0a33d60cffac48c13e77e9e154d7cebb2..74f4aa04a9fc78df7a380d72e8bc83e4f2058c92 100644 (file)
--- a/lib/gssapi/sanon/accept_sec_context.c
+++ b/lib/gssapi/sanon/accept_sec_context.c
@@ -107,14 +107,14 @@ _gss_sanon_accept_sec_context(OM_uint32 *minor,
        _gss_mg_decode_be_uint32(&p[4], &req_flags);
     }
 
-    req_flags &= SANON_PROTOCOL_FLAG_MASK; /* do not let initiator set any other flags */
-
     /* compute shared secret */
     major = _gss_sanon_curve25519(minor, sc, &initiator_pk, req_flags,
                                  input_chan_bindings, &session_key);
     if (major != GSS_S_COMPLETE)
        goto out;
 
+    req_flags &= SANON_PROTOCOL_FLAG_MASK; /* do not let initiator set any other flags */
+
     req_flags |= GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
         GSS_C_INTEG_FLAG | GSS_C_ANON_FLAG | GSS_C_TRANS_FLAG;