From: Jouni Malinen <quic_jouni@quicinc.com>
Date: Wed, 6 Apr 2022 12:14:18 +0000 (+0300)
Subject: EAP-TLS: Do not allow TLSv1.3 success without protected result indication
X-Git-Tag: hostap_2_11~2107
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9e11e746fa6b4b50cf1fe3ddb359567c00f8f269;p=thirdparty%2Fhostap.git

EAP-TLS: Do not allow TLSv1.3 success without protected result indication

RFC 9190 requires protected result indication to be used with TLSv1.3,
so do not allow EAP-TLS to complete successfully if the server does not
send that indication.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
---

diff --git a/src/eap_peer/eap_tls.c b/src/eap_peer/eap_tls.c
index f103e7e72..2d50dd90e 100644
--- a/src/eap_peer/eap_tls.c
+++ b/src/eap_peer/eap_tls.c
@@ -26,6 +26,7 @@ struct eap_tls_data {
 	void *ssl_ctx;
 	u8 eap_type;
 	struct wpabuf *pending_resp;
+	bool prot_success_received;
 };
 
 
@@ -309,9 +310,13 @@ static struct wpabuf * eap_tls_process(struct eap_sm *sm, void *priv,
 			   "EAP-TLS: ACKing protected success indication (appl data 0x00)");
 		eap_peer_tls_reset_output(&data->ssl);
 		res = 1;
+		ret->methodState = METHOD_DONE;
+		ret->decision = DECISION_UNCOND_SUCC;
+		data->prot_success_received = true;
 	}
 
-	if (tls_connection_established(data->ssl_ctx, data->ssl.conn))
+	if (tls_connection_established(data->ssl_ctx, data->ssl.conn) &&
+	    (!data->ssl.tls_v13 || data->prot_success_received))
 		eap_tls_success(sm, data, ret);
 
 	if (res == 1) {