projects / freeradius.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 905aadc)
Always delete MS-MPPE-* from the reply. Fixes #1206
authorAlan T. DeKok <aland@freeradius.org>
Wed, 9 Sep 2015 13:23:48 +0000 (09:23 -0400)
committerAlan T. DeKok <aland@freeradius.org>
Wed, 9 Sep 2015 13:23:48 +0000 (09:23 -0400)
src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c patch | blob | history

diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
index e81843a..41e1473 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
@@ -629,6 +629,15 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session,
                rcode = RLM_MODULE_OK;
 
                /*
+                *      Delete MPPE keys & encryption policy.  We don't
+                *      want these here.
+                */
+               pairdelete(&reply->vps, ((311 << 16) | 7));
+               pairdelete(&reply->vps, ((311 << 16) | 8));
+               pairdelete(&reply->vps, ((311 << 16) | 16));
+               pairdelete(&reply->vps, ((311 << 16) | 17));
+
+               /*
                 *      MS-CHAP2-Success means that we do NOT return
                 *      an Access-Accept, but instead tunnel that
                 *      attribute to the client, and keep going with
@@ -644,15 +653,6 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session,
                        t->authenticated = TRUE;
 
                        /*
-                        *      Delete MPPE keys & encryption policy.  We don't
-                        *      want these here.
-                        */
-                       pairdelete(&reply->vps, ((311 << 16) | 7));
-                       pairdelete(&reply->vps, ((311 << 16) | 8));
-                       pairdelete(&reply->vps, ((311 << 16) | 16));
-                       pairdelete(&reply->vps, ((311 << 16) | 17));
-
-                       /*
                         *      Use the tunneled reply, but not now.
                         */
                        if (t->use_tunneled_reply) {
@@ -663,7 +663,7 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session,
                } else { /* no MS-CHAP2-Success */
                        /*
                         *      Can only have EAP-Message if there's
-                        *      no MS-CHAP2-Success.  (FIXME: EAP-MSCHAP?)
+                        *      no MS-CHAP2-Success.
                         *
                         *      We also do NOT tunnel the EAP-Success
                         *      attribute back to the client, as the client
Unnamed repository; edit this file 'description' to name the repository.