From a79e943d49b3a9cad3c7bc2ff0fe618bc43192b5 Mon Sep 17 00:00:00 2001 From: "Alan T. DeKok" Date: Wed, 9 Sep 2015 09:23:48 -0400 Subject: [PATCH] Always delete MS-MPPE-* from the reply. Fixes #1206 --- src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c index e81843a..41e1473 100644 --- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c +++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c @@ -629,6 +629,15 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session, rcode = RLM_MODULE_OK; /* + * Delete MPPE keys & encryption policy. We don't + * want these here. + */ + pairdelete(&reply->vps, ((311 << 16) | 7)); + pairdelete(&reply->vps, ((311 << 16) | 8)); + pairdelete(&reply->vps, ((311 << 16) | 16)); + pairdelete(&reply->vps, ((311 << 16) | 17)); + + /* * MS-CHAP2-Success means that we do NOT return * an Access-Accept, but instead tunnel that * attribute to the client, and keep going with @@ -644,15 +653,6 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session, t->authenticated = TRUE; /* - * Delete MPPE keys & encryption policy. We don't - * want these here. - */ - pairdelete(&reply->vps, ((311 << 16) | 7)); - pairdelete(&reply->vps, ((311 << 16) | 8)); - pairdelete(&reply->vps, ((311 << 16) | 16)); - pairdelete(&reply->vps, ((311 << 16) | 17)); - - /* * Use the tunneled reply, but not now. */ if (t->use_tunneled_reply) { @@ -663,7 +663,7 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session, } else { /* no MS-CHAP2-Success */ /* * Can only have EAP-Message if there's - * no MS-CHAP2-Success. (FIXME: EAP-MSCHAP?) + * no MS-CHAP2-Success. * * We also do NOT tunnel the EAP-Success * attribute back to the client, as the client -- 2.1.4