From: Sam Hartman <hartmans@debian.org>
Date: Mon, 25 Mar 2013 23:41:44 +0000 (-0400)
Subject: ttls: return channel bindings on half round trip success
X-Git-Tag: trustrouter-1.0~1^2
X-Git-Url: http://www.project-moonshot.org/gitweb/?a=commitdiff_plain;ds=sidebyside;h=d2770705216a255d40cd75154fa7ef2e5ff92ba5;p=freeradius.git

ttls: return channel bindings on half round trip success

If we get a channel binding request at the same time we'd like to
return an access accept, return a challenge instead.
---

diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
index e342a9e..f981dfe 100644
--- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
@@ -740,7 +740,18 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session,
 
 		/* move channel binding responses; we need to send them */
 		pairmove2(&vp, &reply->vps, PW_UKERNA_CHBIND, VENDORPEC_UKERNA, TAG_ANY);
-
+		if (pairfind(vp, PW_UKERNA_CHBIND, VENDORPEC_UKERNA, TAG_ANY) != NULL) {
+			t->authenticated = TRUE;
+			/*
+			 *	Use the tunneled reply, but not now.
+			 */
+			if (t->use_tunneled_reply) {
+				t->accept_vps = reply->vps;
+				reply->vps = NULL;
+			}
+			rcode = RLM_MODULE_HANDLED;
+		}
+		
 		/*
 		 *	Handle the ACK, by tunneling any necessary reply
 		 *	VP's back to the client.