On Wed, Dec 25, 2024 at 12:46:42PM -0500, Alan DeKok wrote:
> If we're not provisioning, then we don't need the PAC.
Well, we might not need a PAC, but one could still be configured through
out-of-band means. This is the EAP-FAST design from where this came to
EAP-TEAP..
> RFC 7170bis officially deprecates the PAC, and it doesn't
> appear that other TEAP implementations use it.
This may make all this mostly theoretical, but still..
> diff --git a/src/eap_peer/eap_teap.c b/src/eap_peer/eap_teap.c
> @@ -205,6 +205,8 @@ static void * eap_teap_init(struct eap_sm *sm)
> + if (!data->provisioning_allowed) return data;
> +
> if (!config->pac_file) {
> wpa_printf(MSG_INFO, "EAP-TEAP: No PAC file configured");
> eap_teap_deinit(sm, data);
This should not just return from the function without reading the PAC
file, if one were configured. Instead, that combination of
!data->provisioning_allow && !config->pac_file should allow EAP-TEAP to
be used, i.e., not error out from here.
--
Jouni Malinen PGP id EFC895FA
_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
