ttls: return channel bindings on half round trip success

[freeradius.git] / src / modules / rlm_eap / types / rlm_eap_ttls / ttls.c

diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
index 86c88d3..7c75baf 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
@@ -701,7 +701,18 @@ static int process_reply(UNUSED eap_handler_t *handler, tls_session_t *tls_sessi
 
                /* move channel binding responses; we need to send them */
                pairmove2(&vp, &reply->vps, PW_UKERNA_CHBIND, VENDORPEC_UKERNA, TAG_ANY);
-
+               if (pairfind(vp, PW_UKERNA_CHBIND, VENDORPEC_UKERNA, TAG_ANY) != NULL) {
+                       t->authenticated = TRUE;
+                       /*
+                        *      Use the tunneled reply, but not now.
+                        */
+                       if (t->use_tunneled_reply) {
+                               t->accept_vps = reply->vps;
+                               reply->vps = NULL;
+                       }
+                       rcode = RLM_MODULE_HANDLED;
+               }
+               
                /*
                 *      Handle the ACK, by tunneling any necessary reply
                 *      VP's back to the client.