EAP-TEAP (client): Allow Phase 2 to be skipped if certificate is used

The EAP-TEAP server may skip Phase 2 if the client authentication could
be completed during Phase 1 based on client certificate. Handle this
similarly to the case of PAC use.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2020-06-20 18:05:46 +03:00
parent 9593ce6587
commit 5196293926

View file

@ -1388,6 +1388,15 @@ static int eap_teap_process_decrypted(struct eap_sm *sm,
"EAP-TEAP: PAC used - server may decide to skip inner authentication"); "EAP-TEAP: PAC used - server may decide to skip inner authentication");
ret->methodState = METHOD_MAY_CONT; ret->methodState = METHOD_MAY_CONT;
ret->decision = DECISION_COND_SUCC; ret->decision = DECISION_COND_SUCC;
} else if (data->result_success_done &&
tls_connection_get_own_cert_used(data->ssl.conn) &&
eap_teap_derive_msk(data) == 0) {
/* Assume the server might accept authentication without going
* through inner authentication. */
wpa_printf(MSG_DEBUG,
"EAP-TEAP: Client certificate used - server may decide to skip inner authentication");
ret->methodState = METHOD_MAY_CONT;
ret->decision = DECISION_COND_SUCC;
} }
if (tlv.pac) { if (tlv.pac) {