EAP-TEAP (client): Allow Phase 2 to be skipped if certificate is used

The EAP-TEAP server may skip Phase 2 if the client authentication could
be completed during Phase 1 based on client certificate. Handle this
similarly to the case of PAC use.

Signed-off-by: Jouni Malinen <j@w1.fi>

src/eap_peer/eap_teap.c

@@ -1388,6 +1388,15 @@ static int eap_teap_process_decrypted(struct eap_sm *sm,
 			   "EAP-TEAP: PAC used - server may decide to skip inner authentication");
 		ret->methodState = METHOD_MAY_CONT;
 		ret->decision = DECISION_COND_SUCC;
+	} else if (data->result_success_done &&
+		   tls_connection_get_own_cert_used(data->ssl.conn) &&
+		   eap_teap_derive_msk(data) == 0) {
+		/* Assume the server might accept authentication without going
+		 * through inner authentication. */
+		wpa_printf(MSG_DEBUG,
+			   "EAP-TEAP: Client certificate used - server may decide to skip inner authentication");
+		ret->methodState = METHOD_MAY_CONT;
+		ret->decision = DECISION_COND_SUCC;
 	}
 
 	if (tlv.pac) {