EAP-TTLS peer: Fix user input during implicit identity request

Special processing is needed to handle EAP user request for
identity or password at the beginning of Phase 2 when the implicit
identity request is used. data->pending_phase2_req needs to be set
to an empty buffer in that case to avoid re-processing the previous
part of TLS negotiation when the user enters the needed information.

Signed-hostap: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_peer/eap_ttls.c b/src/eap_peer/eap_ttls.c
index 2185932690d49a40a8c5cc819ab244a1ab61d0aa..612dfa7e3cfd4c7fff3364013574af106b0f9d32 100644 (file)
--- a/src/eap_peer/eap_ttls.c
+++ b/src/eap_peer/eap_ttls.c
@@ -1220,6 +1220,21 @@ static int eap_ttls_implicit_identity_request(struct eap_sm *sm,
                           "processing failed");
                retval = -1;
        } else {
+               struct eap_peer_config *config = eap_get_config(sm);
+               if (resp == NULL &&
+                   (config->pending_req_identity ||
+                    config->pending_req_password ||
+                    config->pending_req_otp ||
+                    config->pending_req_new_password)) {
+                       /*
+                        * Use empty buffer to force implicit request
+                        * processing when EAP request is re-processed after
+                        * user input.
+                        */
+                       wpabuf_free(data->pending_phase2_req);
+                       data->pending_phase2_req = wpabuf_alloc(0);
+               }
+
                retval = eap_ttls_encrypt_response(sm, data, resp, identifier,
                                                   out_data);
        }