From: Jouni Malinen <j@w1.fi>
Date: Sat, 5 Jan 2019 14:52:05 +0000 (+0200)
Subject: OSEN: Disable TLS v1.3 by default
X-Git-Tag: hostap_2_8~573
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e3afbd796cbae8be6d1b6f5a8ea841bb5a62d753;p=thirdparty%2Fhostap.git

OSEN: Disable TLS v1.3 by default

TLS v1.3 was already disabled by default for EAP-FAST, EAP-TTLS,
EAP-PEAP, and EAP-TLS, but the unauthenticated client cases of EAP-TLS
-like functionality (e.g., the one used in OSEN) were missed. Address
those EAP types as well in the same way of disabling TLS v1.3 by default
for now to avoid functionality issues with TLS libraries that enable TLS
v1.3 by default.

Signed-off-by: Jouni Malinen <j@w1.fi>
---

diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index 0de131526..0f6f0ba14 100644
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -1,6 +1,6 @@
 /*
  * EAP peer: EAP-TLS/PEAP/TTLS/FAST common functions
- * Copyright (c) 2004-2013, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2004-2019, Jouni Malinen <j@w1.fi>
  *
  * This software may be distributed under the terms of the BSD license.
  * See README for more details.
@@ -170,7 +170,9 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
 		 * TLS v1.3 changes, so disable this by default for now. */
 		params->flags |= TLS_CONN_DISABLE_TLSv1_3;
 	}
-	if (data->eap_type == EAP_TYPE_TLS) {
+	if (data->eap_type == EAP_TYPE_TLS ||
+	    data->eap_type == EAP_UNAUTH_TLS_TYPE ||
+	    data->eap_type == EAP_WFA_UNAUTH_TLS_TYPE) {
 		/* While the current EAP-TLS implementation is more or less
 		 * complete for TLS v1.3, there has been no interoperability
 		 * testing with other implementations, so disable for by default