1 files changed, 40 insertions, 0 deletions

diff --git a/debian/patches/fix-ttls-mschapv2.patch b/debian/patches/fix-ttls-mschapv2.patch
new file mode 100644
index 0000000..17581e4
--- /dev/null
+++ b/debian/patches/fix-ttls-mschapv2.patch
@@ -0,0 +1,40 @@
+From 0812bc1768cedc420adc03e86893d798fa19e872 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Wed, 1 Feb 2023 14:38:53 -0500
+Subject: [PATCH] be more careful about session established.  Fixes #4878
+
+---
+ src/main/tls.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index 5ca2f5fed250..4f34d70faccc 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -5338,7 +5338,13 @@ fr_tls_status_t tls_ack_handler(tls_session_t *ssn, REQUEST *request)
+ 		return FR_TLS_FAIL;
+ 
+ 	case handshake:
+-		if ((ssn->is_init_finished) && (ssn->dirty_out.used == 0)) {
++		if (ssn->dirty_out.used > 0) {
++			RDEBUG2("(TLS) Peer ACKed our handshake fragment");
++			/* Fragmentation handler, send next fragment */
++			return FR_TLS_REQUEST;
++		}
++
++		if (ssn->is_init_finished || SSL_is_init_finished(ssn->ssl)) {
+ 			RDEBUG2("(TLS) Peer ACKed our handshake fragment.  handshake is finished");
+ 
+ 			/*
+@@ -5350,9 +5356,8 @@ fr_tls_status_t tls_ack_handler(tls_session_t *ssn, REQUEST *request)
+ 			return FR_TLS_SUCCESS;
+ 		} /* else more data to send */
+ 
+-		RDEBUG2("(TLS) Peer ACKed our handshake fragment");
+-		/* Fragmentation handler, send next fragment */
+-		return FR_TLS_REQUEST;
++		REDEBUG("(TLS) Cannot continue, as the peer is misbehaving.");
++		return FR_TLS_FAIL;
+ 
+ 	case application_data:
+ 		RDEBUG2("(TLS) Peer ACKed our application data fragment");