GSSEAP_SM_TRANSITION_NEXT(ctx);
*minor = 0;
+ *smFlags |= SM_FLAG_OUTPUT_TOKEN_CRITICAL;
return GSS_S_CONTINUE_NEEDED;
}
frresp = rs_packet_frpkt(resp);
switch (frresp->code) {
- case PW_AUTHENTICATION_ACK:
case PW_ACCESS_CHALLENGE:
+ case PW_AUTHENTICATION_ACK:
break;
case PW_AUTHENTICATION_REJECT:
*minor = GSSEAP_RADIUS_AUTH_FAILURE;
major = GSS_S_CONTINUE_NEEDED;
*minor = 0;
+ *smFlags |= SM_FLAG_OUTPUT_TOKEN_CRITICAL;
cleanup:
if (request != NULL)
ITOK_TYPE_NONE,
ITOK_TYPE_EAP_REQ,
GSSEAP_STATE_INITIAL,
- SM_ITOK_FLAG_CRITICAL | SM_ITOK_FLAG_REQUIRED,
+ SM_ITOK_FLAG_REQUIRED,
eapGssSmAcceptIdentity,
},
{
ITOK_TYPE_EAP_RESP,
ITOK_TYPE_EAP_REQ,
GSSEAP_STATE_AUTHENTICATE,
- SM_ITOK_FLAG_CRITICAL | SM_ITOK_FLAG_REQUIRED,
+ SM_ITOK_FLAG_REQUIRED,
eapGssSmAcceptAuthenticate
},
{
ITOK_TYPE_GSS_CHANNEL_BINDINGS,
ITOK_TYPE_NONE,
GSSEAP_STATE_INITIATOR_EXTS,
- SM_ITOK_FLAG_CRITICAL | SM_ITOK_FLAG_REQUIRED,
+ SM_ITOK_FLAG_REQUIRED,
eapGssSmAcceptGssChannelBindings,
},
{
major = tmpMajor;
*minor = tmpMinor;
}
+
+ *smFlags |= SM_FLAG_OUTPUT_TOKEN_CRITICAL;
}
wpabuf_set(&ctx->initiatorCtx.reqData, NULL, 0);
assert(outputToken->value != NULL);
*minor = 0;
+ *smFlags |= SM_FLAG_OUTPUT_TOKEN_CRITICAL;
+
return GSS_S_CONTINUE_NEEDED;
}
ITOK_TYPE_CONTEXT_ERR,
ITOK_TYPE_NONE,
GSSEAP_STATE_ALL & ~(GSSEAP_STATE_INITIAL),
- SM_ITOK_FLAG_CRITICAL,
+ 0,
eapGssSmInitError
},
{
ITOK_TYPE_NONE,
ITOK_TYPE_NONE,
GSSEAP_STATE_INITIAL | GSSEAP_STATE_REAUTHENTICATE,
- SM_ITOK_FLAG_CRITICAL | SM_ITOK_FLAG_REQUIRED,
+ SM_ITOK_FLAG_REQUIRED,
eapGssSmInitIdentity
},
{
ITOK_TYPE_EAP_REQ,
ITOK_TYPE_EAP_RESP,
GSSEAP_STATE_AUTHENTICATE,
- SM_ITOK_FLAG_CRITICAL | SM_ITOK_FLAG_REQUIRED,
+ SM_ITOK_FLAG_REQUIRED,
eapGssSmInitAuthenticate
},
{
ITOK_TYPE_NONE,
ITOK_TYPE_GSS_CHANNEL_BINDINGS,
GSSEAP_STATE_INITIATOR_EXTS,
- SM_ITOK_FLAG_CRITICAL | SM_ITOK_FLAG_REQUIRED,
+ SM_ITOK_FLAG_REQUIRED,
eapGssSmInitGssChannelBindings
},
{
OM_uint32 *);
};
+/* state machine flags, set by handler */
#define SM_FLAG_FORCE_SEND_TOKEN 0x00000001 /* send token even if empty */
#define SM_FLAG_STOP_EVAL 0x00000002 /* no more handlers for this state */
#define SM_FLAG_RESTART 0x00000004 /* restart state machine */
+#define SM_FLAG_OUTPUT_TOKEN_CRITICAL 0x00000008 /* output token is critical */
-#define SM_ITOK_FLAG_CRITICAL 0x00000001 /* sent tokens marked critical */
-#define SM_ITOK_FLAG_REQUIRED 0x00000002 /* received tokens must be present */
+/* state machine flags, set by state machine */
+#define SM_FLAG_INPUT_TOKEN_CRITICAL 0x40000000 /* input token was critical */
+
+#define SM_ITOK_FLAG_REQUIRED 0x00000001 /* received tokens must be present */
OM_uint32
gssEapSmStep(OM_uint32 *minor,
enum gss_eap_state oldState = ctx->state;
smFlags = 0;
+ if (inputTokenType != NULL && (*inputTokenType & ITOK_FLAG_CRITICAL))
+ smFlags |= SM_FLAG_INPUT_TOKEN_CRITICAL;
major = smp->processToken(minor, cred, ctx, target, mech, reqFlags,
timeReq, chanBindings, innerInputToken,
innerOutputTokens->elements[innerOutputTokens->count] = innerOutputToken;
assert(smp->outputTokenType != ITOK_TYPE_NONE);
outputTokenTypes[innerOutputTokens->count] = smp->outputTokenType;
- if (smp->itokFlags & SM_ITOK_FLAG_CRITICAL)
+ if (smFlags & SM_FLAG_OUTPUT_TOKEN_CRITICAL)
outputTokenTypes[innerOutputTokens->count] |= ITOK_FLAG_CRITICAL;
innerOutputTokens->count++;
}