From 38e434d15ed4fd50f9fba583e2eaf0a002775408 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Thu, 10 Mar 2011 00:39:47 +1100
Subject: [PATCH] Always request mutual on reauth to even out number of round
 trips

---
 init_sec_context.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/init_sec_context.c b/init_sec_context.c
index a9dadda..cef79d1 100644
--- a/init_sec_context.c
+++ b/init_sec_context.c
@@ -459,7 +459,7 @@ eapGssSmInitGssReauth(OM_uint32 *minor,
                               &ctx->kerberosCtx,
                               mechTarget,
                               (gss_OID)gss_mech_krb5,
-                              reqFlags,
+                              reqFlags | GSS_C_MUTUAL_FLAG,
                               timeReq,
                               chanBindings,
                               inputToken,
@@ -473,6 +473,8 @@ eapGssSmInitGssReauth(OM_uint32 *minor,
     ctx->gssFlags = gssFlags;
 
     if (major == GSS_S_COMPLETE) {
+        assert(GSSEAP_SM_STATE(ctx) == GSSEAP_STATE_REAUTHENTICATE);
+
         major = gssEapReauthComplete(minor, ctx, cred, actualMech, timeRec);
         if (GSS_ERROR(major))
             goto cleanup;
@@ -735,9 +737,11 @@ eapGssSmInitReauthCreds(OM_uint32 *minor,
 {
     OM_uint32 major;
 
-    major = gssEapStoreReauthCreds(minor, ctx, cred, inputToken);
-    if (GSS_ERROR(major))
-        return major;
+    if (ctx->gssFlags & GSS_C_MUTUAL_FLAG) {
+        major = gssEapStoreReauthCreds(minor, ctx, cred, inputToken);
+        if (GSS_ERROR(major))
+            return major;
+    }
 
     *minor = 0;
     return GSS_S_CONTINUE_NEEDED;
-- 
2.1.4