From 51962939265917184f52c81f3ed1f228956cb130 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sat, 20 Jun 2020 18:05:46 +0300
Subject: [PATCH] EAP-TEAP (client): Allow Phase 2 to be skipped if certificate
 is used

The EAP-TEAP server may skip Phase 2 if the client authentication could
be completed during Phase 1 based on client certificate. Handle this
similarly to the case of PAC use.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/eap_peer/eap_teap.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/eap_peer/eap_teap.c b/src/eap_peer/eap_teap.c
index 76179a329..e8cc7844c 100644
--- a/src/eap_peer/eap_teap.c
+++ b/src/eap_peer/eap_teap.c
@@ -1388,6 +1388,15 @@ static int eap_teap_process_decrypted(struct eap_sm *sm,
 			   "EAP-TEAP: PAC used - server may decide to skip inner authentication");
 		ret->methodState = METHOD_MAY_CONT;
 		ret->decision = DECISION_COND_SUCC;
+	} else if (data->result_success_done &&
+		   tls_connection_get_own_cert_used(data->ssl.conn) &&
+		   eap_teap_derive_msk(data) == 0) {
+		/* Assume the server might accept authentication without going
+		 * through inner authentication. */
+		wpa_printf(MSG_DEBUG,
+			   "EAP-TEAP: Client certificate used - server may decide to skip inner authentication");
+		ret->methodState = METHOD_MAY_CONT;
+		ret->decision = DECISION_COND_SUCC;
 	}
 
 	if (tlv.pac) {