diff --git a/src/libcharon/plugins/eap_peap/eap_peap_peer.c b/src/libcharon/plugins/eap_peap/eap_peap_peer.c index fe071b3cb..ca2af4fee 100644 --- a/src/libcharon/plugins/eap_peap/eap_peap_peer.c +++ b/src/libcharon/plugins/eap_peap/eap_peap_peer.c @@ -41,11 +41,6 @@ struct private_eap_peap_peer_t { */ identification_t *peer; - /** - * Current EAP-PEAP state - */ - bool start_phase2; - /** * Outer phase 1 EAP method */ @@ -161,7 +156,6 @@ METHOD(tls_application_t, process, status_t, return NEED_MORE; } type = this->ph2_method->get_type(this->ph2_method, &vendor); - this->start_phase2 = FALSE; } status = this->ph2_method->process(this->ph2_method, in, &this->out); @@ -198,27 +192,6 @@ METHOD(tls_application_t, build, status_t, eap_type_t type; u_int32_t vendor; - if (this->ph2_method == NULL && this->start_phase2) - { - /* generate an EAP Identity response */ - this->ph2_method = charon->eap->create_instance(charon->eap, EAP_IDENTITY, - 0, EAP_PEER, this->server, this->peer); - if (this->ph2_method == NULL) - { - DBG1(DBG_IKE, "EAP_IDENTITY method not available"); - return FAILED; - } - - /* synchronize EAP message identifiers of inner protocol with outer */ - this->ph2_method->set_identifier(this->ph2_method, - this->ph1_method->get_identifier(this->ph1_method)); - - this->ph2_method->process(this->ph2_method, NULL, &this->out); - this->ph2_method->destroy(this->ph2_method); - this->ph2_method = NULL; - this->start_phase2 = FALSE; - } - if (this->out) { code = this->out->get_code(this->out); @@ -276,7 +249,6 @@ eap_peap_peer_t *eap_peap_peer_create(identification_t *server, .server = server->clone(server), .peer = peer->clone(peer), .ph1_method = eap_method, - .start_phase2 = TRUE, .avp = eap_peap_avp_create(FALSE), ); diff --git a/src/libcharon/plugins/eap_peap/eap_peap_server.c b/src/libcharon/plugins/eap_peap/eap_peap_server.c index f8dd8b904..3fabc3575 100644 --- a/src/libcharon/plugins/eap_peap/eap_peap_server.c +++ b/src/libcharon/plugins/eap_peap/eap_peap_server.c @@ -51,6 +51,11 @@ struct private_eap_peap_server_t { */ bool start_phase2_tnc; + /** + * Starts phase 2 with EAP Identity request + */ + bool start_phase2_id; + /** * Final EAP-PEAP phase2 result */ @@ -332,12 +337,12 @@ METHOD(tls_application_t, build, status_t, eap_type_t type; u_int32_t vendor; - if (this->ph2_method == NULL && this->start_phase2 && - lib->settings->get_bool(lib->settings, - "charon.plugins.eap-peap.phase2_piggyback", FALSE)) + if (this->ph2_method == NULL && this->start_phase2 && this->start_phase2_id) { - /* generate an EAP Identity request which will be piggybacked right - * onto the TLS Finished message thus initiating EAP-PEAP phase2 + /* + * Start Phase 2 with an EAP Identity request either piggybacked right + * onto the TLS Finished payload or delayed after the reception of an + * empty EAP Acknowledge message. */ this->ph2_method = charon->eap->create_instance(charon->eap, EAP_IDENTITY, 0, EAP_SERVER, this->server, this->peer); @@ -355,6 +360,8 @@ METHOD(tls_application_t, build, status_t, this->ph2_method->initiate(this->ph2_method, &this->out); this->start_phase2 = FALSE; } + + this->start_phase2_id = TRUE; if (this->out) { @@ -415,6 +422,8 @@ eap_peap_server_t *eap_peap_server_create(identification_t *server, .ph1_method = eap_method, .start_phase2 = TRUE, .start_phase2_tnc = TRUE, + .start_phase2_id = lib->settings->get_bool(lib->settings, + "charon.plugins.eap-peap.phase2_piggyback", FALSE), .phase2_result = EAP_FAILURE, .avp = eap_peap_avp_create(TRUE), );