Port "use_tunneled_reply" fix for MS-CHAP from branch_1_1

[freeradius.git] / src / modules / rlm_eap / types / rlm_eap_ttls / ttls.c

diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
index 8320d61..bd5d270 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
@@ -616,6 +616,24 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session,
                        DEBUG2("  TTLS: Got MS-CHAP2-Success, tunneling it to the client in a challenge.");
                        rcode = RLM_MODULE_HANDLED;
                        t->authenticated = TRUE;
+                       
+                       /*
+                        *      Delete MPPE keys & encryption policy.  We don't
+                        *      want these here.
+                        */
+                       pairdelete(&reply->vps, ((311 << 16) | 7));
+                       pairdelete(&reply->vps, ((311 << 16) | 8));
+                       pairdelete(&reply->vps, ((311 << 16) | 16));
+                       pairdelete(&reply->vps, ((311 << 16) | 17));
+                       
+                       /*
+                        *      Use the tunneled reply, but not now.
+                        */
+                       if (t->use_tunneled_reply) {
+                               t->reply = reply->vps;
+                               reply->vps = NULL;
+                       }
+
                } else { /* no MS-CHAP2-Success */
                        /*
                         *      Can only have EAP-Message if there's