do MIC round trip for fast reauth case

diff --git a/mech_eap/accept_sec_context.c b/mech_eap/accept_sec_context.c
index 5e1668e..1bc5a88 100644 (file)
--- a/mech_eap/accept_sec_context.c
+++ b/mech_eap/accept_sec_context.c
@@ -619,6 +619,9 @@ eapGssSmAcceptGssChannelBindings(OM_uint32 *minor,
     OM_uint32 major, tmpMinor;
     gss_iov_buffer_desc iov[2];
 
+    if (ctx->flags & CTX_FLAG_KRB_REAUTH)
+        return GSS_S_CONTINUE_NEEDED;
+
     iov[0].type = GSS_IOV_BUFFER_TYPE_DATA | GSS_IOV_BUFFER_FLAG_ALLOCATE;
     iov[0].buffer.length = 0;
     iov[0].buffer.value = NULL;
@@ -772,7 +775,7 @@ static struct gss_eap_sm eapGssAcceptorSm[] = {
         ITOK_TYPE_GSS_CHANNEL_BINDINGS,
         ITOK_TYPE_NONE,
         GSSEAP_STATE_INITIATOR_EXTS,
-        SM_ITOK_FLAG_REQUIRED,
+        0,
         eapGssSmAcceptGssChannelBindings,
     },
     {
@@ -979,7 +982,7 @@ eapGssSmAcceptGssReauth(OM_uint32 *minor,
         major = acceptReadyKrb(minor, ctx, cred,
                                krbInitiator, mech, timeRec);
         if (major == GSS_S_COMPLETE) {
-            GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_ESTABLISHED);
+            GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_INITIATOR_EXTS);
         }
         ctx->gssFlags = gssFlags;
     } else if (GSS_ERROR(major) &&
@@ -988,9 +991,10 @@ eapGssSmAcceptGssReauth(OM_uint32 *minor,
         gssDeleteSecContext(&tmpMinor, &ctx->kerberosCtx, GSS_C_NO_BUFFER);
         ctx->flags &= ~(CTX_FLAG_KRB_REAUTH);
         GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_INITIAL);
-        major = GSS_S_CONTINUE_NEEDED;
     }
 
+    major = GSS_S_CONTINUE_NEEDED;
+
     gssReleaseName(&tmpMinor, &krbInitiator);
 
     return major;

diff --git a/mech_eap/init_sec_context.c b/mech_eap/init_sec_context.c
index 59b69ff..1e2ef75 100644 (file)
--- a/mech_eap/init_sec_context.c
+++ b/mech_eap/init_sec_context.c
@@ -478,11 +478,14 @@ eapGssSmInitGssReauth(OM_uint32 *minor,
         major = gssEapReauthComplete(minor, ctx, cred, actualMech, timeRec);
         if (GSS_ERROR(major))
             goto cleanup;
-        GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_ESTABLISHED);
+
+        GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_INITIATOR_EXTS);
     } else {
         GSSEAP_SM_TRANSITION(ctx, GSSEAP_STATE_REAUTHENTICATE);
     }
 
+    major = GSS_S_CONTINUE_NEEDED;
+
 cleanup:
     gssReleaseName(&tmpMinor, &mechTarget);
 
@@ -757,6 +760,9 @@ eapGssSmInitGssChannelBindings(OM_uint32 *minor,
     OM_uint32 major;
     gss_buffer_desc buffer = GSS_C_EMPTY_BUFFER;
 
+    if (ctx->flags & CTX_FLAG_KRB_REAUTH)
+        return GSS_S_CONTINUE_NEEDED;
+
     if (chanBindings != GSS_C_NO_CHANNEL_BINDINGS)
         buffer = chanBindings->application_data;
 
@@ -922,6 +928,9 @@ static struct gss_eap_sm eapGssInitiatorSm[] = {
     {
         ITOK_TYPE_NONE,
         ITOK_TYPE_INITIATOR_MIC,
+#ifdef GSSEAP_ENABLE_REAUTH
+        GSSEAP_STATE_REAUTHENTICATE |
+#endif
         GSSEAP_STATE_INITIATOR_EXTS,
         0,
         eapGssSmInitInitiatorMIC

diff --git a/mech_eap/util_sm.c b/mech_eap/util_sm.c
index 72d5cf4..967be93 100644 (file)
--- a/mech_eap/util_sm.c
+++ b/mech_eap/util_sm.c
@@ -329,6 +329,10 @@ gssEapSmStep(OM_uint32 *minor,
         } else if ((smp->itokFlags & SM_ITOK_FLAG_REQUIRED) &&
             smp->inputTokenType != ITOK_TYPE_NONE) {
             /* Check for required inner tokens */
+#ifdef GSSEAP_DEBUG
+            fprintf(stderr, "GSS-EAP: missing required token %08X\n",
+                    smp->inputTokenType);
+#endif
             major = GSS_S_DEFECTIVE_TOKEN;
             *minor = GSSEAP_MISSING_REQUIRED_ITOK;
             break;