Client sends empty EAP-TTLS packet on fatal alerts to properly shut down TLS

diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls.c b/src/libcharon/plugins/eap_ttls/eap_ttls.c
index d7372fe760ae1ade2f7dd0da9f0146021a71d15b..35a529091cffd6b111356d94da941746b8875c09 100644 (file)
--- a/src/libcharon/plugins/eap_ttls/eap_ttls.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls.c
@@ -338,6 +338,12 @@ METHOD(eap_method_t, process, status_t,
        {
                *out = read_buf(this, pkt->identifier);
        }
+       else if (status == FAILED && !this->is_server)
+       {       /* client sends an empty TLS message, waits for a EAP-Failure */
+               chunk_free(&this->output);
+               *out = read_buf(this, pkt->identifier);
+               return NEED_MORE;
+       }
        return status;
 }