Set GSS_C_MUTUAL_FLAG only on successful channel binding.

Previously, GSS_C_MUTUAL_FLAG was always set in the initiator context;
CTX_FLAG_EAP_CHBIND_ACCEPT was also set on successful channel binding.
Then GSS_C_MUTUAL_FLAG was properly specified in the return flags to
gssEapInitSecContext() depending on whether CTX_FLAG_EAP_CHBIND was set,
but eapGssSmInitGssFlags() was improperly sending GSS_C_MUTUAL_FLAG to
the acceptor even when no channel binding had occured.

diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c
index 417ad4e..5747d26 100644 (file)
--- a/mech_eap/init_sec_context.c
+++ b/mech_eap/init_sec_context.c
@@ -336,6 +336,7 @@ peerProcessChbindResponse(void *context, int code, int nsid,
     if ((code == CHBIND_CODE_SUCCESS) &&
         (accepted == ctx->initiatorCtx.chbindReqFlags)) {
         ctx->flags |= CTX_FLAG_EAP_CHBIND_ACCEPT;
+        ctx->gssFlags |= GSS_C_MUTUAL_FLAG;
         /* Accepted! */
     } else {
         /* log failures? */
@@ -464,12 +465,6 @@ initReady(OM_uint32 *minor, gss_ctx_id_t ctx, OM_uint32 reqFlags)
     const unsigned char *key;
     size_t keyLength;
 
-#if 1
-    /* XXX actually check for mutual auth */
-    if (reqFlags & GSS_C_MUTUAL_FLAG)
-        ctx->gssFlags |= GSS_C_MUTUAL_FLAG;
-#endif
-
     /* Cache encryption type derived from selected mechanism OID */
     major = gssEapOidToEnctype(minor, ctx->mechanismUsed, &ctx->encryptionType);
     if (GSS_ERROR(major))
@@ -1198,13 +1193,10 @@ gssEapInitSecContext(OM_uint32 *minor,
             goto cleanup;
         }
     }
-    if (ret_flags != NULL) {
-        if ((major == GSS_S_COMPLETE) &&
-            (ctx->flags & CTX_FLAG_EAP_CHBIND_ACCEPT))
-            *ret_flags = ctx->gssFlags | GSS_C_MUTUAL_FLAG;
-        else
-            *ret_flags = ctx->gssFlags & (~GSS_C_MUTUAL_FLAG);
-    }
+
+    if (ret_flags != NULL)
+        *ret_flags = ctx->gssFlags;
+
     if (major == GSS_S_COMPLETE)
         major = major;
     if (time_rec != NULL)