From 7b916b5f9a3db5b268639d2d68cfa85e20a83266 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 18 Jun 2015 21:07:58 +0200
Subject: [PATCH] s4:gensec/gssapi: make calculation of
 gensec_gssapi_sig_size() for aes keys more clear

This way the result matches what gss_wrap_iov_length() would return.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 source4/auth/gensec/gensec_gssapi.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index fd0f2a1986d..b3a469770d6 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -1470,11 +1470,10 @@ static size_t gensec_gssapi_sig_size(struct gensec_security *gensec_security, si
 
 	if (gensec_gssapi_state->lucid->protocol == 1) {
 		if (gensec_gssapi_state->gss_got_flags & GSS_C_CONF_FLAG) {
-			/*
-			 * TODO: windows uses 76 here, but we don't know
-			 *       gss_wrap works with aes keys yet
-			 */
-			gensec_gssapi_state->sig_size = 76;
+			gensec_gssapi_state->sig_size = 60;
+			if (gensec_gssapi_state->gss_got_flags & GSS_C_DCE_STYLE) {
+				gensec_gssapi_state->sig_size += 16;
+			}
 		} else {
 			gensec_gssapi_state->sig_size = 28;
 		}
-- 
2.11.4.GIT