jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

EAP-TEAP (client): Allow Phase 2 to be skipped if certificate is used

Browse source 
The EAP-TEAP server may skip Phase 2 if the client authentication could
be completed during Phase 1 based on client certificate. Handle this
similarly to the case of PAC use.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2020-06-20 18:05:46 +03:00
parent 9593ce6587
commit 5196293926
1 changed files with 9 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
src/eap_peer/eap_teap.c
View file

@ -1388,6 +1388,15 @@ static int eap_teap_process_decrypted(struct eap_sm *sm,
"EAP-TEAP: PAC used - server may decide to skip inner authentication");
ret->methodState = METHOD_MAY_CONT;
ret->decision = DECISION_COND_SUCC;
} else if (data->result_success_done &&
tls_connection_get_own_cert_used(data->ssl.conn) &&
eap_teap_derive_msk(data) == 0) {
/* Assume the server might accept authentication without going
* through inner authentication. */
wpa_printf(MSG_DEBUG,
"EAP-TEAP: Client certificate used - server may decide to skip inner authentication");
ret->methodState = METHOD_MAY_CONT;
ret->decision = DECISION_COND_SUCC;
}
if (tlv.pac) {