From 34a8628d4ef2a3a460a2714f275e091c9b5f0f49 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Tue, 1 May 2018 17:51:34 +0300
Subject: [PATCH] EAP-TLS peer: Allow NewSessionTicket after Client Finished
 with TLS v1.3

The EAP session cannot be marked fully completed on sending Client
Finished with TLS v1.3 since the server may still send NewSessionTicket
before EAP-Success.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 components/wpa_supplicant/src/eap_peer/eap_tls.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/components/wpa_supplicant/src/eap_peer/eap_tls.c b/components/wpa_supplicant/src/eap_peer/eap_tls.c
index b1fb8b6c54..c31768cf32 100644
--- a/components/wpa_supplicant/src/eap_peer/eap_tls.c
+++ b/components/wpa_supplicant/src/eap_peer/eap_tls.c
@@ -119,8 +119,15 @@ static void eap_tls_success(struct eap_sm *sm, struct eap_tls_data *data,
 		return;
 	}
 
-	ret->methodState = METHOD_DONE;
-	ret->decision = DECISION_UNCOND_SUCC;
+	if (data->ssl.tls_v13) {
+		/* A possible NewSessionTicket may be received before
+		 * EAP-Success, so need to allow it to be received. */
+		ret->methodState = METHOD_MAY_CONT;
+		ret->decision = DECISION_COND_SUCC;
+	} else {
+		ret->methodState = METHOD_DONE;
+		ret->decision = DECISION_UNCOND_SUCC;
+	}
 
 	os_free(data->key_data);
 	data->key_data = eap_peer_tls_derive_key(sm, &data->ssl,