Allow for new state transition on failure

if our RESPONSE gets a FAILURE message, it means that the
supplicant doesn't like our password.  Rather than complaining
about unexpected response, just send failure.

Manual pull of f26dcc5f45

diff --git a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c
index 2d000e53cb399761ff0fe85a6ca35f539ccd1cee..a0401e1ac5ba9eb13b44a27edc3b262643f96752 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c
+++ b/src/modules/rlm_eap/types/rlm_eap_mschapv2/rlm_eap_mschapv2.c
@@ -476,8 +476,6 @@ static int mschapv2_authenticate(void *arg, EAP_HANDLER *handler)
                                 * jump to "authentication"
                                 */
                                goto packet_ready;
-
-
                        }
 
                        /*
@@ -488,6 +486,7 @@ static int mschapv2_authenticate(void *arg, EAP_HANDLER *handler)
                                return 0;
                        }
 
+       failure:
                        handler->request->options &= ~RAD_REQUEST_OPTION_PROXY_EAP;
                        eap_ds->request->code = PW_EAP_FAILURE;
                        return 1;
@@ -521,6 +520,8 @@ static int mschapv2_authenticate(void *arg, EAP_HANDLER *handler)
                        return 0;
 
                case PW_EAP_MSCHAPV2_CHALLENGE:
+                       if (ccode == PW_EAP_MSCHAPV2_FAILURE) goto failure;
+
                        /*
                         * we sent a challenge, expecting a response
                         */