From 7b5b487481b58e5b7ef76124a5573c8ee8817561 Mon Sep 17 00:00:00 2001
From: Luke Howard <lukeh@padl.com>
Date: Thu, 10 Mar 2011 01:27:48 +1100
Subject: [PATCH] if reauth token marked critical, don't allow EAP fallback

---
 accept_sec_context.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/accept_sec_context.c b/accept_sec_context.c
index c39cf6b..b9bdb80 100644
--- a/accept_sec_context.c
+++ b/accept_sec_context.c
@@ -965,7 +965,8 @@ eapGssSmAcceptGssReauth(OM_uint32 *minor,
             GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_ESTABLISHED);
         }
         ctx->gssFlags = gssFlags;
-    } else {
+    } else if ((*smFlags & SM_FLAG_INPUT_TOKEN_CRITICAL) == 0) {
+        /* pretend reauthentication attempt never happened */
         gssDeleteSecContext(&tmpMinor, &ctx->kerberosCtx, GSS_C_NO_BUFFER);
         ctx->flags &= ~(CTX_FLAG_KRB_REAUTH);
         GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_INITIAL);
-- 
2.1.4