From: Jouni Malinen <j@w1.fi>
Date: Mon, 19 Aug 2019 23:11:31 +0000 (+0300)
Subject: EAP-TEAP server: Fix Crypto-Binding check in PAC no-inner-auth case
X-Git-Tag: hostap_2_10~2424
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=986033ff3db7adc77dc2895de6cc2d22dfbd1a1d;p=thirdparty%2Fhostap.git

EAP-TEAP server: Fix Crypto-Binding check in PAC no-inner-auth case

The Crypto-Binding TLV is included without Intermediate-Result TLV in
this sequence since the server is skipping all inner authentication
methods and is only sending out Result TLV with the Crypto-Binding TLV.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/eap_server/eap_server_teap.c b/src/eap_server/eap_server_teap.c
index f45034e14..295f4df3c 100644
--- a/src/eap_server/eap_server_teap.c
+++ b/src/eap_server/eap_server_teap.c
@@ -57,6 +57,7 @@ struct eap_teap_data {
 	char *srv_id_info;
 
 	int anon_provisioning;
+	int skipped_inner_auth;
 	int send_new_pac; /* server triggered re-keying of Tunnel PAC */
 	struct wpabuf *pending_phase2_resp;
 	struct wpabuf *server_outer_tlvs;
@@ -1529,6 +1530,7 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm,
 		}
 
 		if (sm->cfg->eap_teap_auth != 1 &&
+		    !data->skipped_inner_auth &&
 		    tlv.iresult != TEAP_STATUS_SUCCESS) {
 			wpa_printf(MSG_DEBUG,
 				   "EAP-TEAP: Crypto-Binding TLV without intermediate Success Result");
@@ -1738,6 +1740,7 @@ static int eap_teap_process_phase2_start(struct eap_sm *sm,
 		} else if (sm->cfg->eap_teap_pac_no_inner) {
 			wpa_printf(MSG_DEBUG,
 				   "EAP-TEAP: Used PAC and identity already known - skip inner auth");
+			data->skipped_inner_auth = 1;
 			/* FIX: Need to derive CMK here. However, how is that
 			 * supposed to be done? RFC 7170 does not tell that for
 			 * the no-inner-auth case. */