From a80abc45a572132b7f425e526cd60c0cf49f28e2 Mon Sep 17 00:00:00 2001 From: Joshua Rogers Date: Tue, 16 Sep 2025 23:27:23 +0500 Subject: [PATCH] sasl: clear canceled mechanism instead of toggling it Use &= ~authused in SASL_CANCEL (was ^=) to actually remove the offending mechanism and avoid re-enabling a disabled mech on retry. Closes #18573 --- lib/curl_sasl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c index 8eb63fb949..9c86f3ea08 100644 --- a/lib/curl_sasl.c +++ b/lib/curl_sasl.c @@ -812,7 +812,9 @@ CURLcode Curl_sasl_continue(struct SASL *sasl, struct Curl_easy *data, case SASL_CANCEL: /* Remove the offending mechanism from the supported list */ - sasl->authmechs ^= sasl->authused; + sasl->authmechs &= (unsigned short)~sasl->authused; + sasl->authused = SASL_AUTH_NONE; + sasl->curmech = NULL; /* Start an alternative SASL authentication */ return Curl_sasl_start(sasl, data, sasl->force_ir, progress); -- 2.47.3