From 56e2448f719e4503e719f1443d8e40879b8c608d Mon Sep 17 00:00:00 2001
From: Simon Rozman <simon@rozman.si>
Date: Thu, 1 Sep 2016 14:59:03 +0200
Subject: [PATCH] Clearing session resumption for ownTLS added. (Have yet to
 learn how do you do this for Schannel. Better yet: How do you make Schannel
 resume a session in the first place.)

---
 lib/TLS/src/Method.cpp  |  8 +++-----
 lib/TTLS/src/Method.cpp | 15 +++++++++------
 2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/lib/TLS/src/Method.cpp b/lib/TLS/src/Method.cpp
index fe41c41..820ec18 100644
--- a/lib/TLS/src/Method.cpp
+++ b/lib/TLS/src/Method.cpp
@@ -580,6 +580,8 @@ void eap::method_tls::get_result(
         // Mark credentials as failed, so GUI can re-prompt user.
         // But be careful: do so only if this happened after transition from handshake to application data phase.
         m_cfg.m_auth_failed = m_phase_prev < phase_application_data && m_phase >= phase_application_data;
+
+        // TODO: Research how a Schannel session context can be cleared not to resume.
 #endif
 
         // Do not report failure to EapHost, as it will not save updated configuration then. But we need it to save it, to alert user on next connection attempt.
@@ -1134,11 +1136,7 @@ void eap::method_tls::process_handshake()
         },
         { 0, SECBUFFER_EMPTY, NULL },
     };
-    SecBufferDesc buf_in_desc = {
-        SECBUFFER_VERSION,
-        _countof(buf_in),
-        buf_in
-    };
+    SecBufferDesc buf_in_desc = { SECBUFFER_VERSION, _countof(buf_in), buf_in };
 
     // Prepare output buffer(s).
     SecBuffer buf_out[] = {
diff --git a/lib/TTLS/src/Method.cpp b/lib/TTLS/src/Method.cpp
index 5fd55e6..2ac733e 100644
--- a/lib/TTLS/src/Method.cpp
+++ b/lib/TTLS/src/Method.cpp
@@ -147,12 +147,15 @@ void eap::method_ttls::get_result(
 #endif
         method_tls::get_result(EapPeerMethodResultSuccess, ppResult);
 
-        // Do not report failure to EapHost, as it will not save updated configuration then. But we need it to save it, to alert user on next connection attempt.
-        // EapHost is well aware of the failed condition.
-        //if (reason == EapPeerMethodResultFailure) {
-        //    ppResult->fIsSuccess = FALSE;
-        //    ppResult->dwFailureReasonCode = EAP_E_AUTHENTICATION_FAILED;
-        //}
+        if (reason == EapPeerMethodResultFailure) {
+            // Clear session resumption data.
+#if EAP_TLS < EAP_TLS_SCHANNEL
+            m_cfg.m_session_id.clear();
+            m_cfg.m_master_secret.clear();
+#else
+            // TODO: Research how a Schannel session context can be cleared not to resume.
+#endif
+        }
     }
 }