Check GSS-API context flags in the client after context is complete

In the client, only check the negotiated GSS-API context flags after
the context has been fully established.  Current versions of Heimdal,
including the system Kerberos libraries in Mac OS X Lion, only declare
mutual authentication once the context negotiation is complete.

1 files changed, 13 insertions, 10 deletions

diff --git a/client/open.c b/client/open.c
index 9acd0a1..f30afd0 100644
--- a/client/open.c
+++ b/client/open.c
@@ -232,16 +232,6 @@ internal_open(struct remctl *r, const char *host, unsigned short port,
             goto fail;
         }
 
-        /*
-         * If the flags we get back from the server are bad and we're doing
-         * protocol v2, report an error and abort.
-         */
-        if (r->protocol > 1 && (gss_flags & req_gss_flags) != req_gss_flags) {
-            internal_set_error(r, "server did not negotiate acceptable"
-                               " GSS-API flags");
-            goto fail;
-        }
-
         /* If we're still expecting more, retrieve it. */
         if (major == GSS_S_CONTINUE_NEEDED) {
             status = token_recv(fd, &flags, &recv_tok, TOKEN_MAX_LENGTH);
@@ -256,6 +246,19 @@ internal_open(struct remctl *r, const char *host, unsigned short port,
         }
     } while (major == GSS_S_CONTINUE_NEEDED);
 
+    /*
+     * If the flags we get back from the server are bad and we're doing
+     * protocol v2, report an error and abort.  This must be done after
+     * establishing the context, since Heimdal doesn't report all flags until
+     * context negotiation is complete.
+     */
+    if (r->protocol > 1 && (gss_flags & req_gss_flags) != req_gss_flags) {
+        internal_set_error(r, "server did not negotiate acceptable GSS-API"
+                           " flags");
+        goto fail;
+    }
+
+    /* Success.  Set the context in the struct remctl object. */
     r->context = gss_context;
     r->ready = 0;
     gss_release_name(&minor, &name);