From 89fc940ec003fcadda0213ef0922ec8019cf7dcd Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 6 Apr 2022 15:14:18 +0300 Subject: [PATCH] EAP-TLS: Do not allow TLSv1.3 success without protected result indication RFC 9190 requires protected result indication to be used with TLSv1.3, so do not allow EAP-TLS to complete successfully if the server does not send that indication. Signed-off-by: Jouni Malinen --- components/wpa_supplicant/src/eap_peer/eap_tls.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/components/wpa_supplicant/src/eap_peer/eap_tls.c b/components/wpa_supplicant/src/eap_peer/eap_tls.c index dcb604e51c..8db2e1f417 100644 --- a/components/wpa_supplicant/src/eap_peer/eap_tls.c +++ b/components/wpa_supplicant/src/eap_peer/eap_tls.c @@ -28,6 +28,7 @@ struct eap_tls_data { void *ssl_ctx; u8 eap_type; struct wpabuf *pending_resp; + bool prot_success_received; }; @@ -249,9 +250,13 @@ static struct wpabuf * eap_tls_process(struct eap_sm *sm, void *priv, "EAP-TLS: ACKing protected success indication (appl data 0x00)"); eap_peer_tls_reset_output(&data->ssl); res = 1; + ret->methodState = METHOD_DONE; + ret->decision = DECISION_UNCOND_SUCC; + data->prot_success_received = true; } - if (tls_connection_established(data->ssl_ctx, data->ssl.conn)) + if (tls_connection_established(data->ssl_ctx, data->ssl.conn) && + (!data->ssl.tls_v13 || data->prot_success_received)) eap_tls_success(sm, data, ret); if (res == 1) {