From: Jouni Malinen <j@w1.fi>
Date: Tue, 1 May 2018 14:51:34 +0000 (+0300)
Subject: EAP-TLS peer: Allow NewSessionTicket after Client Finished with TLS v1.3
X-Git-Tag: hostap_2_7~380
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1854981c7817321f0069551941868bdc7892a85d;p=thirdparty%2Fhostap.git

EAP-TLS peer: Allow NewSessionTicket after Client Finished with TLS v1.3

The EAP session cannot be marked fully completed on sending Client
Finished with TLS v1.3 since the server may still send NewSessionTicket
before EAP-Success.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/eap_peer/eap_tls.c b/src/eap_peer/eap_tls.c
index cda73f963..0cfcfed63 100644
--- a/src/eap_peer/eap_tls.c
+++ b/src/eap_peer/eap_tls.c
@@ -180,8 +180,15 @@ static void eap_tls_success(struct eap_sm *sm, struct eap_tls_data *data,
 		return;
 	}
 
-	ret->methodState = METHOD_DONE;
-	ret->decision = DECISION_UNCOND_SUCC;
+	if (data->ssl.tls_v13) {
+		/* A possible NewSessionTicket may be received before
+		 * EAP-Success, so need to allow it to be received. */
+		ret->methodState = METHOD_MAY_CONT;
+		ret->decision = DECISION_COND_SUCC;
+	} else {
+		ret->methodState = METHOD_DONE;
+		ret->decision = DECISION_UNCOND_SUCC;
+	}
 
 	eap_tls_free_key(data);
 	data->key_data = eap_peer_tls_derive_key(sm, &data->ssl,