gensec_gssapi: only cache the session key in STAGE_DONE

The key may change because we switch from initiator to acceptor
subkey.

metze
(This used to be commit 66244092a457b2cde6339cb31dcfa73b122ba9b5)

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 0df40dc82fbc75e6a6588ec75c1ad12e42bf40c7..20d08078be401620c509fcdce294954b87dd1636 100644 (file)
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -1236,12 +1236,16 @@ static NTSTATUS gensec_gssapi_session_key(struct gensec_security *gensec_securit
                return NT_STATUS_NO_USER_SESSION_KEY;
        }
        
-       DEBUG(10, ("Got KRB5 session key of length %d\n",  
-                  (int)KRB5_KEY_LENGTH(subkey)));
-       gensec_gssapi_state->session_key = data_blob_talloc(gensec_gssapi_state, 
-                                                           KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey));
+       DEBUG(10, ("Got KRB5 session key of length %d%s\n",
+                  (int)KRB5_KEY_LENGTH(subkey),
+                  (gensec_gssapi_state->sasl_state == STAGE_DONE)?" (done)":""));
+       *session_key = data_blob_talloc(gensec_gssapi_state,
+                                       KRB5_KEY_DATA(subkey), KRB5_KEY_LENGTH(subkey));
        krb5_free_keyblock(gensec_gssapi_state->smb_krb5_context->krb5_context, subkey);
-       *session_key = gensec_gssapi_state->session_key;
+       if (gensec_gssapi_state->sasl_state == STAGE_DONE) {
+               /* only cache in the done stage */
+               gensec_gssapi_state->session_key = *session_key;
+       }
        dump_data_pw("KRB5 Session Key:\n", session_key->data, session_key->length);
 
        return NT_STATUS_OK;