Don't promote bindings unwrap failure to GSS_S_BAD_BINDINGS

[moonshot.git] / mech_eap / accept_sec_context.c

diff --git a/mech_eap/accept_sec_context.c b/mech_eap/accept_sec_context.c
index b9bdb80..9036c85 100644 (file)
--- a/mech_eap/accept_sec_context.c
+++ b/mech_eap/accept_sec_context.c
@@ -624,7 +624,7 @@ eapGssSmAcceptGssChannelBindings(OM_uint32 *minor,
     major = gssEapUnwrapOrVerifyMIC(minor, ctx, NULL, NULL,
                                     iov, 2, TOK_TYPE_WRAP);
     if (GSS_ERROR(major))
-        return GSS_S_BAD_BINDINGS;
+        return major;
 
     if (chanBindings != GSS_C_NO_CHANNEL_BINDINGS &&
         !bufferEqual(&iov[0].buffer, &chanBindings->application_data)) {
@@ -965,12 +965,12 @@ eapGssSmAcceptGssReauth(OM_uint32 *minor,
             GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_ESTABLISHED);
         }
         ctx->gssFlags = gssFlags;
-    } else if ((*smFlags & SM_FLAG_INPUT_TOKEN_CRITICAL) == 0) {
+    } else if (GSS_ERROR(major) &&
+        (*smFlags & SM_FLAG_INPUT_TOKEN_CRITICAL) == 0) {
         /* pretend reauthentication attempt never happened */
         gssDeleteSecContext(&tmpMinor, &ctx->kerberosCtx, GSS_C_NO_BUFFER);
         ctx->flags &= ~(CTX_FLAG_KRB_REAUTH);
         GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_INITIAL);
-        *smFlags |= SM_FLAG_RESTART;
         major = GSS_S_CONTINUE_NEEDED;
     }