From 0daa9f6a134ce8f053e30b086707a7bf5082e9bf Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 15 Jan 2016 13:37:15 +0200 Subject: [PATCH] EAP-TTLS peer: Fix success after fragmented final Phase 2 message If the final Phase 2 message needed fragmentation, EAP method decision was cleared from UNCOND_SUCC or COND_SUCC to FAIL and that resulted in the authentication failing when the EAP-Success message from the server got rejected. Fix this by restoring the EAP method decision after fragmentation. Signed-off-by: Jouni Malinen --- src/eap_peer/eap_ttls.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/eap_peer/eap_ttls.c b/src/eap_peer/eap_ttls.c index 3eba99fb4..92f94dcd6 100644 --- a/src/eap_peer/eap_ttls.c +++ b/src/eap_peer/eap_ttls.c @@ -35,6 +35,7 @@ struct eap_ttls_data { void *phase2_priv; int phase2_success; int phase2_start; + EapDecision decision_succ; enum phase2_types { EAP_TTLS_PHASE2_EAP, @@ -1547,6 +1548,7 @@ static void eap_ttls_check_auth_status(struct eap_sm *sm, wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication " "completed successfully"); data->phase2_success = 1; + data->decision_succ = ret->decision; #ifdef EAP_TNC if (!data->ready_for_tnc && !data->tnc_started) { /* @@ -1564,6 +1566,18 @@ static void eap_ttls_check_auth_status(struct eap_sm *sm, wpa_printf(MSG_DEBUG, "EAP-TTLS: Authentication " "completed successfully (MAY_CONT)"); data->phase2_success = 1; + data->decision_succ = ret->decision; + } else if (data->decision_succ != DECISION_FAIL && + data->phase2_success && + !data->ssl.tls_out) { + /* + * This is needed to cover the case where the final Phase 2 + * message gets fragmented since fragmentation clears + * decision back to FAIL. + */ + wpa_printf(MSG_DEBUG, + "EAP-TTLS: Restore success decision after fragmented frame sent completely"); + ret->decision = data->decision_succ; } } @@ -1638,6 +1652,7 @@ static void eap_ttls_deinit_for_reauth(struct eap_sm *sm, void *priv) data->pending_phase2_req = NULL; wpabuf_free(data->pending_resp); data->pending_resp = NULL; + data->decision_succ = DECISION_FAIL; #ifdef EAP_TNC data->ready_for_tnc = 0; data->tnc_started = 0;