From be398286f2d3be6e9744a038fe4b80612b39b10a Mon Sep 17 00:00:00 2001 From: Kevin Wasserman Date: Fri, 17 Feb 2012 14:30:56 -0500 Subject: [PATCH] Set GSS_C_MUTUAL_FLAG only on successful channel binding. Previously, GSS_C_MUTUAL_FLAG was always set in the initiator context; CTX_FLAG_EAP_CHBIND_ACCEPT was also set on successful channel binding. Then GSS_C_MUTUAL_FLAG was properly specified in the return flags to gssEapInitSecContext() depending on whether CTX_FLAG_EAP_CHBIND was set, but eapGssSmInitGssFlags() was improperly sending GSS_C_MUTUAL_FLAG to the acceptor even when no channel binding had occured. --- mech_eap/init_sec_context.c | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c index 417ad4e..5747d26 100644 --- a/mech_eap/init_sec_context.c +++ b/mech_eap/init_sec_context.c @@ -336,6 +336,7 @@ peerProcessChbindResponse(void *context, int code, int nsid, if ((code == CHBIND_CODE_SUCCESS) && (accepted == ctx->initiatorCtx.chbindReqFlags)) { ctx->flags |= CTX_FLAG_EAP_CHBIND_ACCEPT; + ctx->gssFlags |= GSS_C_MUTUAL_FLAG; /* Accepted! */ } else { /* log failures? */ @@ -464,12 +465,6 @@ initReady(OM_uint32 *minor, gss_ctx_id_t ctx, OM_uint32 reqFlags) const unsigned char *key; size_t keyLength; -#if 1 - /* XXX actually check for mutual auth */ - if (reqFlags & GSS_C_MUTUAL_FLAG) - ctx->gssFlags |= GSS_C_MUTUAL_FLAG; -#endif - /* Cache encryption type derived from selected mechanism OID */ major = gssEapOidToEnctype(minor, ctx->mechanismUsed, &ctx->encryptionType); if (GSS_ERROR(major)) @@ -1198,13 +1193,10 @@ gssEapInitSecContext(OM_uint32 *minor, goto cleanup; } } - if (ret_flags != NULL) { - if ((major == GSS_S_COMPLETE) && - (ctx->flags & CTX_FLAG_EAP_CHBIND_ACCEPT)) - *ret_flags = ctx->gssFlags | GSS_C_MUTUAL_FLAG; - else - *ret_flags = ctx->gssFlags & (~GSS_C_MUTUAL_FLAG); - } + + if (ret_flags != NULL) + *ret_flags = ctx->gssFlags; + if (major == GSS_S_COMPLETE) major = major; if (time_rec != NULL) -- 2.1.4