EAP-TLS peer: Determine whether TLS v1.3 or newer is used

This is needed to be able to handle different key derivation and message
handshakes in EAP implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index b3d4aba048ab730278edfc4eff339fe540ade4f3..a72cc08bd5dc14804cad6a04c3dc0452562035da 100644 (file)
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -669,6 +669,8 @@ int eap_peer_tls_process_helper(struct eap_sm *sm, struct eap_ssl_data *data,
                 * the AS.
                 */
                int res = eap_tls_process_input(sm, data, in_data, out_data);
+               char buf[20];
+
                if (res) {
                        /*
                         * Input processing failed (res = -1) or more data is
@@ -681,6 +683,12 @@ int eap_peer_tls_process_helper(struct eap_sm *sm, struct eap_ssl_data *data,
                 * The incoming message has been reassembled and processed. The
                 * response was allocated into data->tls_out buffer.
                 */
+
+               if (tls_get_version(data->ssl_ctx, data->conn,
+                                   buf, sizeof(buf)) == 0) {
+                       wpa_printf(MSG_DEBUG, "SSL: Using TLS version %s", buf);
+                       data->tls_v13 = os_strcmp(buf, "TLSv1.3") == 0;
+               }
        }
 
        if (data->tls_out == NULL) {

diff --git a/src/eap_peer/eap_tls_common.h b/src/eap_peer/eap_tls_common.h
index acd2b783617feb2dabb70b068836293ebf573921..306e6a98bc3f7fc85720c06854bb991814ffe0f7 100644 (file)
--- a/src/eap_peer/eap_tls_common.h
+++ b/src/eap_peer/eap_tls_common.h
@@ -73,6 +73,11 @@ struct eap_ssl_data {
         * eap_type - EAP method used in Phase 1 (EAP_TYPE_TLS/PEAP/TTLS/FAST)
         */
        u8 eap_type;
+
+       /**
+        * tls_v13 - Whether TLS v1.3 or newer is used
+        */
+       int tls_v13;
 };