From: Jouni Malinen Date: Mon, 2 May 2022 14:29:35 +0000 (+0300) Subject: EAP-PEAP server: Fix TLS 1.3 move to Phase 2 without a new session ticket X-Git-Tag: hostap_2_11~1962 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=05406f7ae8a7dca2d51385a6d20641827e0967dd;p=thirdparty%2Fhostap.git EAP-PEAP server: Fix TLS 1.3 move to Phase 2 without a new session ticket When a new session ticket is not issued to the peer, Phase 2 identity request need to be sent out as a response to the Finished message from the peer. Fix this to allow the TLS server to be configured to not send out a new session ticket when using TLS 1.3. Signed-off-by: Jouni Malinen --- diff --git a/src/eap_server/eap_server_peap.c b/src/eap_server/eap_server_peap.c index f526e8bf7..998d0e8ae 100644 --- a/src/eap_server/eap_server_peap.c +++ b/src/eap_server/eap_server_peap.c @@ -56,6 +56,10 @@ struct eap_peap_data { }; +static int eap_peap_phase2_init(struct eap_sm *sm, struct eap_peap_data *data, + int vendor, enum eap_type eap_type); + + static const char * eap_peap_state_txt(int state) { switch (state) { @@ -558,10 +562,24 @@ static struct wpabuf * eap_peap_buildReq(struct eap_sm *sm, void *priv, u8 id) wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase1 done, " "starting Phase2"); eap_peap_state(data, PHASE2_START); + if (data->ssl.tls_v13 && data->ssl.tls_out && + wpabuf_len(data->ssl.tls_out) == 0) { + /* This can happen with TLS 1.3 when a new + * session ticket is not generated and the + * Finished message from the peer terminates + * Phase 1. */ + wpa_printf(MSG_DEBUG, + "EAP-PEAP: No pending data to send - move directly to Phase 2 ID query"); + eap_peap_state(data, PHASE2_ID); + eap_peap_phase2_init(sm, data, EAP_VENDOR_IETF, + EAP_TYPE_IDENTITY); + goto phase2_id; + } } break; case PHASE2_ID: case PHASE2_METHOD: + phase2_id: wpabuf_free(data->ssl.tls_out); data->ssl.tls_out_pos = 0; data->ssl.tls_out = eap_peap_build_phase2_req(sm, data, id);