[PATCH 1/1] Don't complain about missing PAC when teap_provisioning=0
Jouni Malinen
j at w1.fi
Fri Dec 27 02:48:30 PST 2024
On Thu, Dec 26, 2024 at 06:01:24PM -0500, Alan DeKok wrote:
> TEAP no longer supports a PAC:
>
> https://datatracker.ietf.org/doc/html/draft-ietf-emu-rfc7170bis-19#section-4.2.12
>
> ...
> [RFC7170] defined a Protected Access Credential (PAC) to mirror EAP-FAST [RFC4851]. However, implementation experience and analysis determined that the PAC was not necessary. Instead, TEAP performs session resumption using the NewSessionTicket message as defined in [RFC9190] Section 2.1.2 and Section 2.1.3. As such, the PAC TLV has been deprecated.
>
> As the PAC TLV is deprecated, an entity receiving it SHOULD send a Result TLV indicating failure, and an Error TLV of Unexpected TLVs Exchanged.
> ...
Taken into account limited deployment of TEAP (and no deployment that
could have really been compliant with RFC7170), that would seem to imply
that wpa_supplicant changes should really go much further than this
particular change of not complaining about missing PAC in local
configuration..
> I've attached an updated patch with that change.
Thanks, applied.
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list