pairfree(&t->username);
pairfree(&t->state);
+ pairfree(&t->reply);
free(t);
}
/*
- * Free the TTLS per-session data
+ * Allocate the TTLS per-session data
*/
static ttls_tunnel_t *ttls_alloc(rlm_eap_ttls_t *inst)
{
*/
case EAPTLS_SUCCESS:
if (t->authenticated) {
+ if (t->reply) {
+ pairadd(&handler->request->reply->vps, t->reply);
+ t->reply = NULL;
+ }
eaptls_success(handler->eap_ds, 0);
eaptls_gen_mppe_keys(&handler->request->reply->vps,
tls_session->ssl,
"ttls keying material");
} else {
- eaptls_request(handler->eap_ds, tls_session);
+ eaptls_request(handler->eap_ds, tls_session);
}
return 1;
DEBUG2(" TTLS: Got MS-CHAP2-Success, tunneling it to the client in a challenge.");
rcode = RLM_MODULE_HANDLED;
t->authenticated = TRUE;
+
+ /*
+ * Delete MPPE keys & encryption policy. We don't
+ * want these here.
+ */
+ pairdelete(&reply->vps, ((311 << 16) | 7));
+ pairdelete(&reply->vps, ((311 << 16) | 8));
+ pairdelete(&reply->vps, ((311 << 16) | 16));
+ pairdelete(&reply->vps, ((311 << 16) | 17));
+
+ /*
+ * Use the tunneled reply, but not now.
+ */
+ if (t->use_tunneled_reply) {
+ t->reply = reply->vps;
+ reply->vps = NULL;
+ }
+
} else { /* no MS-CHAP2-Success */
/*
* Can only have EAP-Message if there's