[PATCH] Fix broken EAP-TLS (bug introduced 2008/08/24 by b51a3a82)

Arnaud Ebalard arno at natisbad.org
Thu Jan 29 16:31:10 CET 2009


As explained in previous mails of the thread, FreeRadius EAP-TLS support
is broken (the EAP encapsulated TLS ChangeCipherSpec and TLS Finished
messages are not sent). Bisecting the issue led me here:

    commit b51a3a82edb797f5d0a2758bd1a38359d6f66803
    Author: Alan T. DeKok <aland at freeradius.org>
    Date:   Sun Aug 24 10:04:55 2008 +0200

        Clean up debug && log messages

AFAICT, the test that prevented eaptls_ack_handler() to return
EAPTLS_SUCCESS *before* flushing remaining local messages
(i.e. returning EAPTLS_REQUEST so that they be sent to the peer to
complete the TLS handshake) was removed in that commit. 

The patch below is against current git tree. With Axel, we tested the
fix with 2.1.3: it corrects the issue.



Signed-off-by: Arnaud Ebalard <arno at natisbad.org>
Tested-by: Axel Tillequin <axel.tillequin at gmail.com>
 src/modules/rlm_eap/libeap/eap_tls.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/src/modules/rlm_eap/libeap/eap_tls.c b/src/modules/rlm_eap/libeap/eap_tls.c
index cd95bec..42edbed 100644
--- a/src/modules/rlm_eap/libeap/eap_tls.c
+++ b/src/modules/rlm_eap/libeap/eap_tls.c
@@ -330,7 +330,8 @@ static eaptls_status_t eaptls_ack_handler(EAP_HANDLER *handler)
 		return EAPTLS_FAIL;
 	case handshake:
-		if (tls_session->info.handshake_type == finished) {
+		if ((tls_session->info.handshake_type == finished) &&
+		    (tls_session->dirty_out.used == 0)) {
 			RDEBUG2("ACK handshake is finished");

More information about the Freeradius-Devel mailing list