From d2770705216a255d40cd75154fa7ef2e5ff92ba5 Mon Sep 17 00:00:00 2001
From: Sam Hartman <hartmans@debian.org>
Date: Mon, 25 Mar 2013 19:41:44 -0400
Subject: [PATCH] ttls: return channel bindings on half round trip success

If we get a channel binding request at the same time we'd like to
return an access accept, return a challenge instead.
---
 src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
index e342a9e..f981dfe 100644
--- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
@@ -740,7 +740,18 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session,
 
 		/* move channel binding responses; we need to send them */
 		pairmove2(&vp, &reply->vps, PW_UKERNA_CHBIND, VENDORPEC_UKERNA, TAG_ANY);
-
+		if (pairfind(vp, PW_UKERNA_CHBIND, VENDORPEC_UKERNA, TAG_ANY) != NULL) {
+			t->authenticated = TRUE;
+			/*
+			 *	Use the tunneled reply, but not now.
+			 */
+			if (t->use_tunneled_reply) {
+				t->accept_vps = reply->vps;
+				reply->vps = NULL;
+			}
+			rcode = RLM_MODULE_HANDLED;
+		}
+		
 		/*
 		 *	Handle the ACK, by tunneling any necessary reply
 		 *	VP's back to the client.
-- 
2.1.4