GSSEAP_SM_TRANSITION_NEXT(ctx);
*minor = 0;
+ *smFlags |= SM_FLAG_OUTPUT_TOKEN_CRITICAL;
return GSS_S_CONTINUE_NEEDED;
}
frresp = rs_packet_frpkt(resp);
switch (frresp->code) {
- case PW_AUTHENTICATION_ACK:
case PW_ACCESS_CHALLENGE:
+ case PW_AUTHENTICATION_ACK:
break;
case PW_AUTHENTICATION_REJECT:
*minor = GSSEAP_RADIUS_AUTH_FAILURE;
major = GSS_S_CONTINUE_NEEDED;
*minor = 0;
+ *smFlags |= SM_FLAG_OUTPUT_TOKEN_CRITICAL;
cleanup:
if (request != NULL)
ITOK_TYPE_NONE,
ITOK_TYPE_EAP_REQ,
GSSEAP_STATE_INITIAL,
- SM_ITOK_FLAG_CRITICAL | SM_ITOK_FLAG_REQUIRED,
+ SM_ITOK_FLAG_REQUIRED,
eapGssSmAcceptIdentity,
},
{
ITOK_TYPE_EAP_RESP,
ITOK_TYPE_EAP_REQ,
GSSEAP_STATE_AUTHENTICATE,
- SM_ITOK_FLAG_CRITICAL | SM_ITOK_FLAG_REQUIRED,
+ SM_ITOK_FLAG_REQUIRED,
eapGssSmAcceptAuthenticate
},
{
ITOK_TYPE_GSS_CHANNEL_BINDINGS,
ITOK_TYPE_NONE,
GSSEAP_STATE_INITIATOR_EXTS,
- SM_ITOK_FLAG_CRITICAL | SM_ITOK_FLAG_REQUIRED,
+ SM_ITOK_FLAG_REQUIRED,
eapGssSmAcceptGssChannelBindings,
},
{
GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_ESTABLISHED);
}
ctx->gssFlags = gssFlags;
- } else {
+ } else if (GSS_ERROR(major) &&
+ (*smFlags & SM_FLAG_INPUT_TOKEN_CRITICAL) == 0) {
+ /* pretend reauthentication attempt never happened */
gssDeleteSecContext(&tmpMinor, &ctx->kerberosCtx, GSS_C_NO_BUFFER);
ctx->flags &= ~(CTX_FLAG_KRB_REAUTH);
GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_INITIAL);
- *smFlags |= SM_FLAG_RESTART;
major = GSS_S_CONTINUE_NEEDED;
}