From a9170c6a205ec7a6bd5c4a179ccf475f52f004f6 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Fri, 12 Jul 2019 23:38:05 +0300 Subject: [PATCH] EAP-TLS peer: Handle possible application data at the end EAP-TLS with TLS 1.3 uses an empty application data record from the server to indicate end of the exchange, so EAP-TLS peer will need to check for this special case and finish the exchange with an empty EAP-TLS (ACK) so that the server can send out EAP-Success. Signed-off-by: Jouni Malinen --- components/wpa_supplicant/src/eap_peer/eap_tls.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/components/wpa_supplicant/src/eap_peer/eap_tls.c b/components/wpa_supplicant/src/eap_peer/eap_tls.c index 169b4e265d..82e307d422 100644 --- a/components/wpa_supplicant/src/eap_peer/eap_tls.c +++ b/components/wpa_supplicant/src/eap_peer/eap_tls.c @@ -242,6 +242,18 @@ static struct wpabuf * eap_tls_process(struct eap_sm *sm, void *priv, return NULL; } + if (res == 2) { + /* Application data included in the handshake message (used by + * EAP-TLS 1.3 to indicate conclusion of the exchange). */ + wpa_hexdump_buf(MSG_DEBUG, "EAP-TLS: Received Application Data", + resp); + wpa_hexdump_buf(MSG_DEBUG, "EAP-TLS: Remaining tls_out data", + data->ssl.tls_out); + eap_peer_tls_reset_output(&data->ssl); + /* Send an ACK to allow the server to complete exchange */ + res = 1; + } + if (tls_connection_established(data->ssl_ctx, data->ssl.conn)) eap_tls_success(sm, data, ret);