1 files changed, 18 insertions, 0 deletions

diff --git a/freebsd/contrib/wpa/src/eap_peer/eap_tls.c b/freebsd/contrib/wpa/src/eap_peer/eap_tls.c
index c088d1f7..16927d72 100644
--- a/freebsd/contrib/wpa/src/eap_peer/eap_tls.c
+++ b/freebsd/contrib/wpa/src/eap_peer/eap_tls.c
@@ -176,6 +176,9 @@ static void eap_tls_success(struct eap_sm *sm, struct eap_tls_data *data,
 			    struct eap_method_ret *ret)
 {
 	const char *label;
+	const u8 eap_tls13_context[] = { EAP_TYPE_TLS };
+	const u8 *context = NULL;
+	size_t context_len = 0;
 
 	wpa_printf(MSG_DEBUG, "EAP-TLS: Done");
 
@@ -186,6 +189,8 @@ static void eap_tls_success(struct eap_sm *sm, struct eap_tls_data *data,
 
 	if (data->ssl.tls_v13) {
 		label = "EXPORTER_EAP_TLS_Key_Material";
+		context = eap_tls13_context;
+		context_len = 1;
 
 		/* A possible NewSessionTicket may be received before
 		 * EAP-Success, so need to allow it to be received. */
@@ -200,6 +205,7 @@ static void eap_tls_success(struct eap_sm *sm, struct eap_tls_data *data,
 
 	eap_tls_free_key(data);
 	data->key_data = eap_peer_tls_derive_key(sm, &data->ssl, label,
+						 context, context_len,
 						 EAP_TLS_KEY_LEN +
 						 EAP_EMSK_LEN);
 	if (data->key_data) {
@@ -292,6 +298,18 @@ static struct wpabuf * eap_tls_process(struct eap_sm *sm, void *priv,
 		return NULL;
 	}
 
+	if (res == 2) {
+		/* Application data included in the handshake message (used by
+		 * EAP-TLS 1.3 to indicate conclusion of the exchange). */
+		wpa_hexdump_buf(MSG_DEBUG, "EAP-TLS: Received Application Data",
+				resp);
+		wpa_hexdump_buf(MSG_DEBUG, "EAP-TLS: Remaining tls_out data",
+				data->ssl.tls_out);
+		eap_peer_tls_reset_output(&data->ssl);
+		/* Send an ACK to allow the server to complete exchange */
+		res = 1;
+	}
+
 	if (tls_connection_established(data->ssl_ctx, data->ssl.conn))
 		eap_tls_success(sm, data, ret);