ttls: return channel bindings on half round trip success

If we get a channel binding request at the same time we'd like to
return an access accept, return a challenge instead.

diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
index e342a9e..f981dfe 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
@@ -740,7 +740,18 @@ static int process_reply(EAP_HANDLER *handler, tls_session_t *tls_session,
 
                /* move channel binding responses; we need to send them */
                pairmove2(&vp, &reply->vps, PW_UKERNA_CHBIND, VENDORPEC_UKERNA, TAG_ANY);
-
+               if (pairfind(vp, PW_UKERNA_CHBIND, VENDORPEC_UKERNA, TAG_ANY) != NULL) {
+                       t->authenticated = TRUE;
+                       /*
+                        *      Use the tunneled reply, but not now.
+                        */
+                       if (t->use_tunneled_reply) {
+                               t->accept_vps = reply->vps;
+                               reply->vps = NULL;
+                       }
+                       rcode = RLM_MODULE_HANDLED;
+               }
+               
                /*
                 *      Handle the ACK, by tunneling any necessary reply
                 *      VP's back to the client.