From: Alan T. DeKok <aland@freeradius.org>
Date: Mon, 19 Sep 2016 15:17:34 +0000 (-0400)
Subject: separate messages for separate error cases
X-Git-Tag: release_3_0_12~56
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=231017023e0e048a63482ccbc0b3a2dfb1fab9fa;p=thirdparty%2Ffreeradius-server.git

separate messages for separate error cases
---

diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
index f1f02e61dcf..244b46079d1 100644
--- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
+++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
@@ -1384,8 +1384,14 @@ PW_CODE eap_fast_process(eap_handler_t *eap_session, tls_session_t *tls_session)
 		/*
 		 * RFC 5422 section 3.5 - Network Access after EAP-FAST Provisioning
 		 */
-		if ((t->pac.type && t->pac.expired) || t->mode == EAP_FAST_PROVISIONING_ANON) {
-			RDEBUG("Rejecting expired PAC or unauthenticated provisioning");
+		if (t->pac.type && t->pac.expired) {
+			REDEBUG("Rejecting expired PAC.");
+			code = PW_CODE_ACCESS_REJECT;
+			break;
+		}
+
+		if (t->mode == EAP_FAST_PROVISIONING_ANON) {
+			REDEBUG("Rejecting unauthenticated provisioning");
 			code = PW_CODE_ACCESS_REJECT;
 			break;
 		}
@@ -1401,8 +1407,9 @@ PW_CODE eap_fast_process(eap_handler_t *eap_session, tls_session_t *tls_session)
 		eap_add_reply(request, "EAP-EMSK", t->emsk, EAP_EMSK_LEN);
 
 		break;
+
 	default:
-		RERROR("no idea! %d", t->stage);
+		RERROR("Internal sanity check failed in EAP-FAST at %d", t->stage);
 		code = PW_CODE_ACCESS_REJECT;
 	}