From de9a11f4dde9e0624a8dd4dcdcdbbdacbea3b452 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <quic_jouni@quicinc.com>
Date: Mon, 17 Jul 2023 21:20:37 +0300
Subject: [PATCH] TTLS client: Support phase2_auth=2

Allow the phase2_auth=2 parameter (in phase1 configuration item) to be
used with EAP-TTLS to require Phase 2 authentication. In practice, this
disables TLS session resumption since EAP-TTLS is defined to skip Phase
2 when resuming a session.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
---
 src/eap_peer/eap_ttls.c | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/src/eap_peer/eap_ttls.c b/src/eap_peer/eap_ttls.c
index c8e2de0a2..6adc22277 100644
--- a/src/eap_peer/eap_ttls.c
+++ b/src/eap_peer/eap_ttls.c
@@ -65,9 +65,30 @@ struct eap_ttls_data {
 	int ready_for_tnc;
 	int tnc_started;
 #endif /* EAP_TNC */
+
+	enum { NO_AUTH, FOR_INITIAL, ALWAYS } phase2_auth;
 };
 
 
+static void eap_ttls_parse_phase1(struct eap_ttls_data *data,
+				  const char *phase1)
+{
+	if (os_strstr(phase1, "phase2_auth=0")) {
+		data->phase2_auth = NO_AUTH;
+		wpa_printf(MSG_DEBUG,
+			   "EAP-TTLS: Do not require Phase 2 authentication");
+	} else if (os_strstr(phase1, "phase2_auth=1")) {
+		data->phase2_auth = FOR_INITIAL;
+		wpa_printf(MSG_DEBUG,
+			   "EAP-TTLS: Require Phase 2 authentication for initial connection");
+	} else if (os_strstr(phase1, "phase2_auth=2")) {
+		data->phase2_auth = ALWAYS;
+		wpa_printf(MSG_DEBUG,
+			   "EAP-TTLS: Require Phase 2 authentication for all cases");
+	}
+}
+
+
 static void * eap_ttls_init(struct eap_sm *sm)
 {
 	struct eap_ttls_data *data;
@@ -82,6 +103,10 @@ static void * eap_ttls_init(struct eap_sm *sm)
 	selected = "EAP";
 	selected_non_eap = 0;
 	data->phase2_type = EAP_TTLS_PHASE2_EAP;
+	data->phase2_auth = FOR_INITIAL;
+
+	if (config && config->phase1)
+		eap_ttls_parse_phase1(data, config->phase1);
 
 	/*
 	 * Either one auth= type or one or more autheap= methods can be
@@ -1703,8 +1728,9 @@ static struct wpabuf * eap_ttls_process(struct eap_sm *sm, void *priv,
 static bool eap_ttls_has_reauth_data(struct eap_sm *sm, void *priv)
 {
 	struct eap_ttls_data *data = priv;
+
 	return tls_connection_established(sm->ssl_ctx, data->ssl.conn) &&
-		data->phase2_success;
+		data->phase2_success && data->phase2_auth != ALWAYS;
 }