DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

EAP-TLS: Do not allow TLSv1.3 success without protected result indication

Browse source 
RFC 9190 requires protected result indication to be used with TLSv1.3,
so do not allow EAP-TLS to complete successfully if the server does not
send that indication.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Jouni Malinen 2022-04-06 15:14:18 +03:00 committed by Jouni Malinen
parent 6135a8a6aa
commit 9e11e746fa
1 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
src/eap_peer/eap_tls.c
View file

@ -26,6 +26,7 @@ struct eap_tls_data {
void *ssl_ctx;
u8 eap_type;
struct wpabuf *pending_resp;
bool prot_success_received;
};
@ -309,9 +310,13 @@ static struct wpabuf * eap_tls_process(struct eap_sm *sm, void *priv,
"EAP-TLS: ACKing protected success indication (appl data 0x00)");
eap_peer_tls_reset_output(&data->ssl);
res = 1;
ret->methodState = METHOD_DONE;
ret->decision = DECISION_UNCOND_SUCC;
data->prot_success_received = true;
}
if (tls_connection_established(data->ssl_ctx, data->ssl.conn))
if (tls_connection_established(data->ssl_ctx, data->ssl.conn) &&
(!data->ssl.tls_v13 || data->prot_success_received))
eap_tls_success(sm, data, ret);
if (res == 1) {