int copy_request_to_tunnel;
/*
+ * RFC 5281 (TTLS) says that the length field MUST NOT be
+ * in fragments after the first one. However, we've done
+ * it that way for years, and no one has complained.
+ *
+ * In the interests of allowing the server to follow the
+ * RFC, we add the option here. If set to "no", it sends
+ * the length field in ONLY the first fragment.
+ */
+ int include_length;
+
+ /*
* Virtual server for inner tunnel session.
*/
char *virtual_server;
{ "virtual_server", PW_TYPE_STRING_PTR,
offsetof(rlm_eap_ttls_t, virtual_server), NULL, NULL },
+ { "include_length", PW_TYPE_BOOLEAN,
+ offsetof(rlm_eap_ttls_t, include_length), NULL, "yes" },
+
{ NULL, -1, 0, NULL, NULL } /* end the list */
};
pairfree(&t->username);
pairfree(&t->state);
- pairfree(&t->reply);
+ pairfree(&t->accept_vps);
free(t);
}
RDEBUG2("Authenticate");
+ tls_session->length_flag = inst->include_length;
+
/*
* Process TLS layer until done.
*/
}
if (t && t->authenticated) {
- if (t->reply) {
- pairmove(&handler->request->reply->vps,
- &t->reply);
- pairfree(&t->reply);
+ if (t->accept_vps) {
+ pairadd(&handler->request->reply->vps,
+ t->accept_vps);
+ t->accept_vps = NULL;
}
do_keys:
/*
* will proxy it, rather than returning an EAP packet.
*/
case PW_STATUS_CLIENT:
+#ifdef WITH_PROXY
rad_assert(handler->request->proxy != NULL);
+#endif
return 1;
break;