EAP-TEAP (client): Allow Phase 2 to be skipped if certificate is used

The EAP-TEAP server may skip Phase 2 if the client authentication could
be completed during Phase 1 based on client certificate. Handle this
similarly to the case of PAC use.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_peer/eap_teap.c b/src/eap_peer/eap_teap.c
index 76179a329f7fce9dd75d9a2ff266fcc0db2b62b2..e8cc7844ce5fa85165c78f65c534e092fa26225a 100644 (file)
--- a/src/eap_peer/eap_teap.c
+++ b/src/eap_peer/eap_teap.c
@@ -1388,6 +1388,15 @@ static int eap_teap_process_decrypted(struct eap_sm *sm,
                           "EAP-TEAP: PAC used - server may decide to skip inner authentication");
                ret->methodState = METHOD_MAY_CONT;
                ret->decision = DECISION_COND_SUCC;
+       } else if (data->result_success_done &&
+                  tls_connection_get_own_cert_used(data->ssl.conn) &&
+                  eap_teap_derive_msk(data) == 0) {
+               /* Assume the server might accept authentication without going
+                * through inner authentication. */
+               wpa_printf(MSG_DEBUG,
+                          "EAP-TEAP: Client certificate used - server may decide to skip inner authentication");
+               ret->methodState = METHOD_MAY_CONT;
+               ret->decision = DECISION_COND_SUCC;
        }
 
        if (tlv.pac) {