EAP-TLS peer: Fix protected success indication check for resumed session

The internal flag prot_success_received was not cleared between the
sessions and that resulted in the resumed session not mandating the
protected success indication to be received. Fix this by clearing the
internal flag so that the EAP-TLS handshake using session resumption
with TLS 1.3 takes care of the required check before marking the
authentication successfully completed. This will make the EAP-TLS peer
reject an EAP-Success message should it be received without the
protected success indication.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/eap_peer/eap_tls.c b/src/eap_peer/eap_tls.c
index 2d50dd90e463d64fbb27c33ee70698ee75f81bd3..4167e992b3f56ae00daf94d43f2312c87185dd1a 100644 (file)
--- a/src/eap_peer/eap_tls.c
+++ b/src/eap_peer/eap_tls.c
@@ -341,6 +341,7 @@ static void eap_tls_deinit_for_reauth(struct eap_sm *sm, void *priv)
 
        wpabuf_free(data->pending_resp);
        data->pending_resp = NULL;
+       data->prot_success_received = false;
 }