Always delete MS-MPPE-* from the reply. Fixes #1206

FreeRADIUS · Sep 2, 2015 · 1a3c629 · 1a3c629
1 parent f4feb8c
commit 1a3c629
Showing 1 changed file with 11 additions and 10 deletions.
diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
@@ -641,6 +641,16 @@ static rlm_rcode_t CC_HINT(nonnull) process_reply(eap_handler_t *handler, tls_se
 
 		rcode = RLM_MODULE_OK;
 
+		/*
+		 *	Always delete MPPE keys & encryption policy
+		 *	from the tunneled reply.  These never get sent
+		 *	back to the user.
+		 */
+		fr_pair_delete_by_num(&reply->vps, 7, VENDORPEC_MICROSOFT, TAG_ANY);
+		fr_pair_delete_by_num(&reply->vps, 8, VENDORPEC_MICROSOFT, TAG_ANY);
+		fr_pair_delete_by_num(&reply->vps, 16, VENDORPEC_MICROSOFT, TAG_ANY);
+		fr_pair_delete_by_num(&reply->vps, 17, VENDORPEC_MICROSOFT, TAG_ANY);
+
 		/*
 		 *	MS-CHAP2-Success means that we do NOT return
 		 *	an Access-Accept, but instead tunnel that
@@ -656,15 +666,6 @@ static rlm_rcode_t CC_HINT(nonnull) process_reply(eap_handler_t *handler, tls_se
 			rcode = RLM_MODULE_HANDLED;
 			t->authenticated = true;
 
-			/*
-			 *	Delete MPPE keys & encryption policy.  We don't
-			 *	want these here.
-			 */
-			fr_pair_delete_by_num(&reply->vps, 7, VENDORPEC_MICROSOFT, TAG_ANY);
-			fr_pair_delete_by_num(&reply->vps, 8, VENDORPEC_MICROSOFT, TAG_ANY);
-			fr_pair_delete_by_num(&reply->vps, 16, VENDORPEC_MICROSOFT, TAG_ANY);
-			fr_pair_delete_by_num(&reply->vps, 17, VENDORPEC_MICROSOFT, TAG_ANY);
-
 			/*
 			 *	Use the tunneled reply, but not now.
 			 */
@@ -678,7 +679,7 @@ static rlm_rcode_t CC_HINT(nonnull) process_reply(eap_handler_t *handler, tls_se
 		} else { /* no MS-CHAP2-Success */
 			/*
 			 *	Can only have EAP-Message if there's
-			 *	no MS-CHAP2-Success.  (FIXME: EAP-MSCHAP?)
+			 *	no MS-CHAP2-Success.
 			 *
 			 *	We also do NOT tunnel the EAP-Success
 			 *	attribute back to the client, as the client