assert(cred != GSS_C_NO_CREDENTIAL);
- if (ctx->state == GSSEAP_STATE_INITIAL) {
+ if (GSSEAP_SM_STATE(ctx) == GSSEAP_STATE_INITIAL) {
if (!gssEapCanReauthP(cred, target, timeReq))
return GSS_S_CONTINUE_NEEDED;
ctx->gssFlags = gssFlags;
- *smFlags |= SM_FLAG_STOP_EVAL;
-
if (major == GSS_S_COMPLETE) {
major = gssEapReauthComplete(minor, ctx, cred, actualMech, timeRec);
if (GSS_ERROR(major))
goto cleanup;
- ctx->state = GSSEAP_STATE_ESTABLISHED;
+ GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_ESTABLISHED);
} else {
- ctx->state = GSSEAP_STATE_REAUTHENTICATE;
+ GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_REAUTHENTICATE);
}
cleanup:
OM_uint32 major;
struct eap_config eapConfig;
+ if (GSSEAP_SM_STATE(ctx) == GSSEAP_STATE_REAUTHENTICATE) {
+ /* server didn't support reauthentication, sent EAP request */
+ GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_INITIAL);
+ ctx->flags &= ~(CTX_FLAG_KRB_REAUTH);
+ *smFlags |= SM_FLAG_RESTART;
+ } else {
+ *smFlags |= SM_FLAG_FORCE_SEND_TOKEN;
+ }
+
assert((ctx->flags & CTX_FLAG_KRB_REAUTH) == 0);
assert(inputToken == GSS_C_NO_BUFFER);
return GSS_S_FAILURE;
}
- /* force sending of empty token */
+ GSSEAP_SM_TRANSITION_NEXT(ctx);
+
*minor = 0;
- *smFlags |= SM_FLAG_TRANSITION | SM_FLAG_FORCE_SEND_TOKEN;
return GSS_S_CONTINUE_NEEDED;
}
ctx->flags &= ~(CTX_FLAG_EAP_SUCCESS);
major = GSS_S_CONTINUE_NEEDED;
- *smFlags |= SM_FLAG_TRANSITION;
+ GSSEAP_SM_TRANSITION_NEXT(ctx);
} else if (ctx->flags & CTX_FLAG_EAP_FAIL) {
major = GSS_S_DEFECTIVE_CREDENTIAL;
*minor = GSSEAP_PEER_AUTH_FAILURE;
#endif /* GSSEAP_ENABLE_REAUTH */
static OM_uint32
-eapGssSmInitCompleteExts(OM_uint32 *minor,
- gss_cred_id_t cred,
- gss_ctx_id_t ctx,
- gss_name_t target,
- gss_OID mech,
- OM_uint32 reqFlags,
- OM_uint32 timeReq,
- gss_channel_bindings_t chanBindings,
- gss_buffer_t inputToken,
- gss_buffer_t outputToken,
- OM_uint32 *smFlags)
+eapGssSmInitCompleteInitiatorExts(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ gss_ctx_id_t ctx,
+ gss_name_t target,
+ gss_OID mech,
+ OM_uint32 reqFlags,
+ OM_uint32 timeReq,
+ gss_channel_bindings_t chanBindings,
+ gss_buffer_t inputToken,
+ gss_buffer_t outputToken,
+ OM_uint32 *smFlags)
{
+ GSSEAP_SM_TRANSITION_NEXT(ctx);
+
*minor = 0;
+ *smFlags |= SM_FLAG_FORCE_SEND_TOKEN;
- if (ctx->state == GSSEAP_STATE_INITIATOR_EXTS) {
- *smFlags |= SM_FLAG_TRANSITION | SM_FLAG_STOP_EVAL;
- return GSS_S_CONTINUE_NEEDED;
- } else {
- ctx->state = GSSEAP_STATE_ESTABLISHED;
- *smFlags |= SM_FLAG_STOP_EVAL;
- return GSS_S_COMPLETE;
- }
+ return GSS_S_CONTINUE_NEEDED;
+}
+
+static OM_uint32
+eapGssSmInitCompleteAcceptorExts(OM_uint32 *minor,
+ gss_cred_id_t cred,
+ gss_ctx_id_t ctx,
+ gss_name_t target,
+ gss_OID mech,
+ OM_uint32 reqFlags,
+ OM_uint32 timeReq,
+ gss_channel_bindings_t chanBindings,
+ gss_buffer_t inputToken,
+ gss_buffer_t outputToken,
+ OM_uint32 *smFlags)
+{
+ GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_ESTABLISHED);
+
+ *minor = 0;
+
+ return GSS_S_COMPLETE;
}
static struct gss_eap_sm eapGssInitiatorSm[] = {
{
ITOK_TYPE_NONE,
ITOK_TYPE_NONE,
- GSSEAP_STATE_INITIAL,
+ GSSEAP_STATE_INITIAL | GSSEAP_STATE_REAUTHENTICATE,
SM_ITOK_FLAG_CRITICAL | SM_ITOK_FLAG_REQUIRED,
eapGssSmInitIdentity,
},
ITOK_TYPE_NONE,
GSSEAP_STATE_INITIATOR_EXTS,
0,
- eapGssSmInitCompleteExts
+ eapGssSmInitCompleteInitiatorExts
},
#ifdef GSSEAP_ENABLE_REAUTH
{
ITOK_TYPE_NONE,
GSSEAP_STATE_ACCEPTOR_EXTS,
0,
- eapGssSmInitCompleteExts
+ eapGssSmInitCompleteAcceptorExts
}
};
if (time_rec != NULL)
gssEapContextTime(&tmpMinor, ctx, time_rec);
- assert(ctx->state == GSSEAP_STATE_ESTABLISHED || major == GSS_S_CONTINUE_NEEDED);
+ assert(CTX_IS_ESTABLISHED(ctx) || major == GSS_S_CONTINUE_NEEDED);
cleanup:
if (cred != GSS_C_NO_CREDENTIAL)