From 0db5f59d0716ba8a7022be2bbca772bd59570c28 Mon Sep 17 00:00:00 2001 From: Tim Kourt Date: Wed, 11 Sep 2019 13:13:26 -0700 Subject: [PATCH] peap: Send cleartext ACK to tunneled EAP-Success Some of the EAP-PEAP server implementations seem to require a cleartext ACK for the tunneled EAP-Success message similar to EAP-TLS specification, instead of simply shutting down the tunnel like EAP-PEAPv1 requires. ACKing the tunneled EAP-Success seems also to work for implementations which were relying on the tunnel close event. --- src/eap-peap.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/eap-peap.c b/src/eap-peap.c index 0d38abe7..4037f408 100644 --- a/src/eap-peap.c +++ b/src/eap-peap.c @@ -71,7 +71,15 @@ static void eap_peap_phase2_complete(enum eap_result result, void *user_data) * The receipt of a EAP-Failure or EAP-Success within the TLS protected * channel results in a shutdown of the TLS channel by the peer. */ - eap_tls_common_tunnel_close(eap); + if (result == EAP_RESULT_SUCCESS) + /* + * Some of the EAP-PEAP server implementations seem to require a + * cleartext ACK for the tunneled EAP-Success messages instead + * of simply closing the tunnel. + */ + eap_tls_common_send_empty_response(eap); + else + eap_tls_common_tunnel_close(eap); eap_discard_success_and_failure(eap, false); eap_tls_common_set_completed(eap);