From 4e2e1eeb5f9d4e2c46b74241e7b267d09c995247 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Fri, 12 Jul 2019 23:38:05 +0300
Subject: [PATCH] EAP-TLS peer: Handle possible application data at the end

EAP-TLS with TLS 1.3 uses an empty application data record from the
server to indicate end of the exchange, so EAP-TLS peer will need to
check for this special case and finish the exchange with an empty
EAP-TLS (ACK) so that the server can send out EAP-Success.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/eap_peer/eap_tls.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/eap_peer/eap_tls.c b/src/eap_peer/eap_tls.c
index b7e76d93a..15d60d710 100644
--- a/src/eap_peer/eap_tls.c
+++ b/src/eap_peer/eap_tls.c
@@ -296,6 +296,18 @@ static struct wpabuf * eap_tls_process(struct eap_sm *sm, void *priv,
 		return NULL;
 	}
 
+	if (res == 2) {
+		/* Application data included in the handshake message (used by
+		 * EAP-TLS 1.3 to indicate conclusion of the exchange). */
+		wpa_hexdump_buf(MSG_DEBUG, "EAP-TLS: Received Application Data",
+				resp);
+		wpa_hexdump_buf(MSG_DEBUG, "EAP-TLS: Remaining tls_out data",
+				data->ssl.tls_out);
+		eap_peer_tls_reset_output(&data->ssl);
+		/* Send an ACK to allow the server to complete exchange */
+		res = 1;
+	}
+
 	if (tls_connection_established(data->ssl_ctx, data->ssl.conn))
 		eap_tls_success(sm, data, ret);
 
-- 
2.39.2