if reauth token marked critical, don't allow EAP fallback

author Luke Howard <lukeh@padl.com>

Wed, 9 Mar 2011 14:27:48 +0000 (01:27 +1100)

committer Luke Howard <lukeh@padl.com>

Wed, 9 Mar 2011 14:27:48 +0000 (01:27 +1100)
author Luke Howard <lukeh@padl.com>
Wed, 9 Mar 2011 14:27:48 +0000 (01:27 +1100)
committer Luke Howard <lukeh@padl.com>
Wed, 9 Mar 2011 14:27:48 +0000 (01:27 +1100)
diff --git a/mech_eap/accept_sec_context.c b/mech_eap/accept_sec_context.c

index c39cf6b..b9bdb80 100644 (file)
--- a/mech_eap/accept_sec_context.c
+++ b/mech_eap/accept_sec_context.c
@@ -965,7 +965,8 @@ eapGssSmAcceptGssReauth(OM_uint32 *minor,
              GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_ESTABLISHED);
          }
          ctx->gssFlags = gssFlags;
-    } else {
+    } else if ((*smFlags & SM_FLAG_INPUT_TOKEN_CRITICAL) == 0) {
+        /* pretend reauthentication attempt never happened */
          gssDeleteSecContext(&tmpMinor, &ctx->kerberosCtx, GSS_C_NO_BUFFER);
          ctx->flags &= ~(CTX_FLAG_KRB_REAUTH);
          GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_INITIAL);
author	Luke Howard <lukeh@padl.com>
	Wed, 9 Mar 2011 14:27:48 +0000 (01:27 +1100)
committer	Luke Howard <lukeh@padl.com>
	Wed, 9 Mar 2011 14:27:48 +0000 (01:27 +1100)