From 3ed9243fd18a163a84cf2eef4994dc671a6238c8 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Wed, 9 Mar 2011 15:31:48 +1100 Subject: [PATCH] Allow for graceful restart if acceptor ignores reauth token --- init_sec_context.c | 17 ++++++++++++----- util_sm.c | 12 ++++++++---- 2 files changed, 20 insertions(+), 9 deletions(-) diff --git a/init_sec_context.c b/init_sec_context.c index 8104a63..9966090 100644 --- a/init_sec_context.c +++ b/init_sec_context.c @@ -438,7 +438,7 @@ eapGssSmInitGssReauth(OM_uint32 *minor, assert(cred != GSS_C_NO_CREDENTIAL); - if (ctx->state == GSSEAP_STATE_INITIAL) { + if (GSSEAP_SM_STATE(ctx) == GSSEAP_STATE_INITIAL) { if (!gssEapCanReauthP(cred, target, timeReq)) return GSS_S_CONTINUE_NEEDED; @@ -533,6 +533,15 @@ eapGssSmInitIdentity(OM_uint32 *minor, OM_uint32 major; struct eap_config eapConfig; + if (GSSEAP_SM_STATE(ctx) == GSSEAP_STATE_REAUTHENTICATE) { + /* server didn't support reauthentication, sent EAP request */ + GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_INITIAL); + ctx->flags &= ~(CTX_FLAG_KRB_REAUTH); + *smFlags |= SM_FLAG_RESTART; + } else { + *smFlags |= SM_FLAG_FORCE_SEND_TOKEN; + } + assert((ctx->flags & CTX_FLAG_KRB_REAUTH) == 0); assert(inputToken == GSS_C_NO_BUFFER); @@ -563,9 +572,7 @@ eapGssSmInitIdentity(OM_uint32 *minor, GSSEAP_SM_TRANSITION_NEXT(ctx); - /* force sending of empty token */ *minor = 0; - *smFlags |= SM_FLAG_FORCE_SEND_TOKEN; return GSS_S_CONTINUE_NEEDED; } @@ -775,7 +782,7 @@ static struct gss_eap_sm eapGssInitiatorSm[] = { { ITOK_TYPE_NONE, ITOK_TYPE_NONE, - GSSEAP_STATE_INITIAL, + GSSEAP_STATE_INITIAL | GSSEAP_STATE_REAUTHENTICATE, SM_ITOK_FLAG_CRITICAL | SM_ITOK_FLAG_REQUIRED, eapGssSmInitIdentity, }, @@ -910,7 +917,7 @@ gss_init_sec_context(OM_uint32 *minor, if (time_rec != NULL) gssEapContextTime(&tmpMinor, ctx, time_rec); - assert(ctx->state == GSSEAP_STATE_ESTABLISHED || major == GSS_S_CONTINUE_NEEDED); + assert(CTX_IS_ESTABLISHED(ctx) || major == GSS_S_CONTINUE_NEEDED); cleanup: if (cred != GSS_C_NO_CREDENTIAL) diff --git a/util_sm.c b/util_sm.c index 8bbe40e..0788bcf 100644 --- a/util_sm.c +++ b/util_sm.c @@ -81,11 +81,11 @@ gssEapStateToString(enum gss_eap_state state) void gssEapSmTransition(gss_ctx_id_t ctx, enum gss_eap_state state) { - assert(state > ctx->state); assert(state <= GSSEAP_STATE_ESTABLISHED); fprintf(stderr, "GSS-EAP: state transition %s->%s\n", - gssEapStateToString(ctx->state), gssEapStateToString(state)); + gssEapStateToString(GSSEAP_SM_STATE(ctx)), + gssEapStateToString(state)); ctx->state = state; } @@ -236,7 +236,7 @@ gssEapSmStep(OM_uint32 *minor, initialContextToken = 1; } - if (ctx->state == GSSEAP_STATE_ESTABLISHED) { + if (CTX_IS_ESTABLISHED(ctx)) { major = GSS_S_BAD_STATUS; *minor = GSSEAP_CONTEXT_ESTABLISHED; goto cleanup; @@ -310,8 +310,12 @@ gssEapSmStep(OM_uint32 *minor, if (inputTokenType != NULL) *inputTokenType |= ITOK_FLAG_VERIFIED; - if (ctx->state != oldState) + if (smFlags & SM_FLAG_RESTART) { + assert(ctx->state < oldState); + i = 0; + } else if (ctx->state != oldState) { smFlags |= SM_FLAG_TRANSITED; + } if (innerOutputToken.value != NULL) { innerOutputTokens->elements[innerOutputTokens->count] = innerOutputToken; -- 2.1.4