From 986033ff3db7adc77dc2895de6cc2d22dfbd1a1d Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 20 Aug 2019 02:11:31 +0300 Subject: [PATCH] EAP-TEAP server: Fix Crypto-Binding check in PAC no-inner-auth case The Crypto-Binding TLV is included without Intermediate-Result TLV in this sequence since the server is skipping all inner authentication methods and is only sending out Result TLV with the Crypto-Binding TLV. Signed-off-by: Jouni Malinen --- src/eap_server/eap_server_teap.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/eap_server/eap_server_teap.c b/src/eap_server/eap_server_teap.c index f45034e14..295f4df3c 100644 --- a/src/eap_server/eap_server_teap.c +++ b/src/eap_server/eap_server_teap.c @@ -57,6 +57,7 @@ struct eap_teap_data { char *srv_id_info; int anon_provisioning; + int skipped_inner_auth; int send_new_pac; /* server triggered re-keying of Tunnel PAC */ struct wpabuf *pending_phase2_resp; struct wpabuf *server_outer_tlvs; @@ -1529,6 +1530,7 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm, } if (sm->cfg->eap_teap_auth != 1 && + !data->skipped_inner_auth && tlv.iresult != TEAP_STATUS_SUCCESS) { wpa_printf(MSG_DEBUG, "EAP-TEAP: Crypto-Binding TLV without intermediate Success Result"); @@ -1738,6 +1740,7 @@ static int eap_teap_process_phase2_start(struct eap_sm *sm, } else if (sm->cfg->eap_teap_pac_no_inner) { wpa_printf(MSG_DEBUG, "EAP-TEAP: Used PAC and identity already known - skip inner auth"); + data->skipped_inner_auth = 1; /* FIX: Need to derive CMK here. However, how is that * supposed to be done? RFC 7170 does not tell that for * the no-inner-auth case. */