@@ -900,16 +900,17 @@ static rlm_rcode_t CC_HINT(nonnull) process_reply(eap_handler_t *eap_session,
900900 RDEBUG ("Phase 2: Stage %s" , stage_name [t -> stage ]);
901901
902902 /*
903- * If the response packet was Access-Accept, then
904- * we're OK. If not, die horribly.
903+ * If the response packet was Access-Accept, then we're
904+ * OK. If not, die horribly.
905905 *
906- * FIXME: EAP-Messages can only start with 'identity',
907- * NOT 'eap start', so we should check for that....
906+ * FIXME: EAP-Messages can only start with 'identity',
907+ * NOT 'eap start', so we should check for that....
908908 */
909909 switch (reply -> code ) {
910910 case PW_CODE_ACCESS_ACCEPT :
911911 RDEBUG ("Phase 2: Got tunneled Access-Accept" );
912912 msk1 = msk2 = false;
913+ t -> authenticated = true;
913914
914915 for (vp = fr_cursor_init (& cursor , & reply -> vps ); vp ; vp = fr_cursor_next (& cursor )) {
915916 if (vp -> da -> vendor == 0 ) {
@@ -979,7 +980,6 @@ static rlm_rcode_t CC_HINT(nonnull) process_reply(eap_handler_t *eap_session,
979980 case PW_MSCHAP2_SUCCESS :
980981 RDEBUG ("Phase 2: Got %s, tunneling it to the client in a challenge" , vp -> da -> name );
981982 if (t -> use_tunneled_reply ) {
982- t -> authenticated = true;
983983 /*
984984 * Clean up the tunneled reply.
985985 */
@@ -1261,12 +1261,11 @@ static PW_CODE eap_teap_phase2(REQUEST *request, eap_handler_t *eap_session,
12611261 (vp -> vp_short != identity_type_requested )) {
12621262 if (t -> identity_types [identity_type_requested ].required ) {
12631263 REDEBUG ("Phase 2: We sent Identity-Type = %s, but the supplicant did not use that method - rejecting the session" , identity_type );
1264- VALUE_PAIR * vp_auth ;
12651264fail :
1266- vp_auth = fr_pair_afrom_num (fake , PW_AUTH_TYPE , 0 );
1267- if (vp_auth ) {
1268- fr_pair_add (& fake -> config , vp_auth );
1269- vp_auth -> vp_integer = PW_AUTH_TYPE_REJECT ;
1265+ vp = fr_pair_afrom_num (fake , PW_AUTH_TYPE , 0 );
1266+ if (vp ) {
1267+ fr_pair_add (& fake -> config , vp );
1268+ vp -> vp_integer = PW_AUTH_TYPE_REJECT ;
12701269 }
12711270 goto done ;
12721271 }
@@ -1289,20 +1288,26 @@ static PW_CODE eap_teap_phase2(REQUEST *request, eap_handler_t *eap_session,
12891288 fr_pair_delete (& request -> state , vp_config );
12901289
12911290 /*
1292- * wpa_supplicant continues the authentication even when there are no remaining
1293- * methods configured for it, so we skip only if this is the last round
1291+ * wpa_supplicant continues the authentication even when there are no remaining
1292+ * methods configured for it, so we skip only if this is the last round
12941293 */
12951294 if ((t -> identities_remaining == 1 ) &&
12961295 !t -> identity_types [identity_type_requested ].required &&
12971296 !(fr_pair_find_by_num (fake -> packet -> vps , PW_EAP_MESSAGE , 0 , TAG_ANY ) ||
12981297 fr_pair_find_by_num (fake -> packet -> vps , PW_USER_PASSWORD , 0 , TAG_ANY ))) {
1299- VALUE_PAIR * vp_auth ;
1298+ /*
1299+ * If we didn't have at least one authentication success, we fail.
1300+ */
1301+ if (!t -> authenticated ) {
1302+ RWDEBUG ("Phase 2: Did not find authentication material, and previous round was not authenticated" );
1303+ goto fail ;
1304+ }
13001305
13011306 RWDEBUG ("Phase 2: We sent Identity-Type = %s, but the supplicant did not send any authentication material - skipping optional method" , identity_type );
1302- vp_auth = fr_pair_afrom_num (fake , PW_AUTH_TYPE , 0 );
1303- if (vp_auth ) {
1304- fr_pair_add (& fake -> config , vp_auth );
1305- vp_auth -> vp_integer = PW_AUTH_TYPE_ACCEPT ;
1307+ vp = fr_pair_afrom_num (fake , PW_AUTH_TYPE , 0 );
1308+ if (vp ) {
1309+ fr_pair_add (& fake -> config , vp );
1310+ vp -> vp_integer = PW_AUTH_TYPE_ACCEPT ;
13061311 }
13071312 goto done ;
13081313 }
@@ -1709,26 +1714,27 @@ static PW_CODE eap_teap_process_tlvs(REQUEST *request, eap_handler_t *eap_sessio
17091714 * aren't needed by the inner-tunnel virtual server.
17101715 */
17111716 case EAP_TEAP_TLV_RESULT :
1712- gotresult = true;
17131717 if (vp -> vp_short != EAP_TEAP_TLV_RESULT_SUCCESS ) {
17141718 REDEBUG ("Phase 2: Peer sent Result = Failure - rejecting the session" );
17151719 code = PW_CODE_ACCESS_REJECT ;
1720+ } else {
1721+ gotresult = true;
17161722 }
17171723 break ;
17181724
17191725 case EAP_TEAP_TLV_INTERMED_RESULT :
1720- gotintermedresult = true;
17211726 if (vp -> vp_short != EAP_TEAP_TLV_RESULT_SUCCESS ) {
17221727 REDEBUG ("Phase 2: Peer sent Intermediate-Result = Failure - rejecting the session" );
17231728 code = PW_CODE_ACCESS_REJECT ;
1729+ } else {
1730+ gotintermedresult = true;
17241731 }
17251732 break ;
17261733
17271734 case EAP_TEAP_TLV_CRYPTO_BINDING :
1728- gotcryptobinding = true;
1729-
17301735 code = eap_teap_validate_crypto_binding (request , eap_session , tls_session ,
17311736 (eap_tlv_crypto_binding_tlv_t const * )vp -> vp_octets );
1737+ gotcryptobinding = (code == PW_CODE_ACCESS_ACCEPT );
17321738 break ;
17331739
17341740 default :
0 commit comments