From 1854981c7817321f0069551941868bdc7892a85d Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Tue, 1 May 2018 17:51:34 +0300
Subject: [PATCH] EAP-TLS peer: Allow NewSessionTicket after Client Finished
 with TLS v1.3

The EAP session cannot be marked fully completed on sending Client
Finished with TLS v1.3 since the server may still send NewSessionTicket
before EAP-Success.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 src/eap_peer/eap_tls.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/eap_peer/eap_tls.c b/src/eap_peer/eap_tls.c
index cda73f963..0cfcfed63 100644
--- a/src/eap_peer/eap_tls.c
+++ b/src/eap_peer/eap_tls.c
@@ -180,8 +180,15 @@ static void eap_tls_success(struct eap_sm *sm, struct eap_tls_data *data,
 		return;
 	}
 
-	ret->methodState = METHOD_DONE;
-	ret->decision = DECISION_UNCOND_SUCC;
+	if (data->ssl.tls_v13) {
+		/* A possible NewSessionTicket may be received before
+		 * EAP-Success, so need to allow it to be received. */
+		ret->methodState = METHOD_MAY_CONT;
+		ret->decision = DECISION_COND_SUCC;
+	} else {
+		ret->methodState = METHOD_DONE;
+		ret->decision = DECISION_UNCOND_SUCC;
+	}
 
 	eap_tls_free_key(data);
 	data->key_data = eap_peer_tls_derive_key(sm, &data->ssl,