EAP-TLS peer: Handle possible application data at the end

EAP-TLS with TLS 1.3 uses an empty application data record from the
server to indicate end of the exchange, so EAP-TLS peer will need to
check for this special case and finish the exchange with an empty
EAP-TLS (ACK) so that the server can send out EAP-Success.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2019-07-12 23:38:05 +03:00
parent 0ef509f15e
commit 4e2e1eeb5f

View file

@ -296,6 +296,18 @@ static struct wpabuf * eap_tls_process(struct eap_sm *sm, void *priv,
return NULL; return NULL;
} }
if (res == 2) {
/* Application data included in the handshake message (used by
* EAP-TLS 1.3 to indicate conclusion of the exchange). */
wpa_hexdump_buf(MSG_DEBUG, "EAP-TLS: Received Application Data",
resp);
wpa_hexdump_buf(MSG_DEBUG, "EAP-TLS: Remaining tls_out data",
data->ssl.tls_out);
eap_peer_tls_reset_output(&data->ssl);
/* Send an ACK to allow the server to complete exchange */
res = 1;
}
if (tls_connection_established(data->ssl_ctx, data->ssl.conn)) if (tls_connection_established(data->ssl_ctx, data->ssl.conn))
eap_tls_success(sm, data, ret); eap_tls_success(sm, data, ret);