Eap channel bindings fixes

Only specify GSS_C_MUTUAL_FLAG return flag on successful eap channel
binding.

diff --git a/mech_eap/gssapiP_eap.h b/mech_eap/gssapiP_eap.h
index fd19955..7fd55df 100644 (file)
--- a/mech_eap/gssapiP_eap.h
+++ b/mech_eap/gssapiP_eap.h
@@ -193,6 +193,7 @@ struct gss_cred_id_struct
 #define CTX_FLAG_EAP_PORT_ENABLED           0x00400000
 #define CTX_FLAG_EAP_ALT_ACCEPT             0x00800000
 #define CTX_FLAG_EAP_ALT_REJECT             0x01000000
+#define CTX_FLAG_EAP_CHBIND_ACCEPT          0x02000000
 #define CTX_FLAG_EAP_MASK                   0xFFFF0000
 
 struct gss_eap_initiator_ctx {

diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c
index faae579..ad0a3b5 100644 (file)
--- a/mech_eap/init_sec_context.c
+++ b/mech_eap/init_sec_context.c
@@ -318,11 +318,11 @@ peerProcessChbindResponse(void *context, int code, int nsid,
             }
         }
         radius_parser_finish(vendor_specific);
-        break;
     }
     radius_parser_finish(msg);
     if ((code == CHBIND_CODE_SUCCESS) &&
         (accepted == ctx->initiatorCtx.chbindReqFlags)) {
+        ctx->flags |= CTX_FLAG_EAP_CHBIND_ACCEPT;
         /* Accepted! */
     } else {
         /* log failures? */
@@ -1185,8 +1185,15 @@ gssEapInitSecContext(OM_uint32 *minor,
             goto cleanup;
         }
     }
-    if (ret_flags != NULL)
-        *ret_flags = ctx->gssFlags;
+    if (ret_flags != NULL) {
+        if ((major == GSS_S_COMPLETE) &&
+            (ctx->flags & CTX_FLAG_EAP_CHBIND_ACCEPT))
+            *ret_flags = ctx->gssFlags | GSS_C_MUTUAL_FLAG;
+        else
+            *ret_flags = ctx->gssFlags & (~GSS_C_MUTUAL_FLAG);
+    }
+    if (major == GSS_S_COMPLETE)
+        major = major;
     if (time_rec != NULL)
         gssEapContextTime(&tmpMinor, ctx, time_rec);