From 0482251a6d88cb3c18047b3d2eb8a99e97040f50 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Wed, 6 Apr 2022 16:13:22 +0300 Subject: [PATCH] EAP-TLS: Allow TLSv1.3 support to be enabled with build config The default behavior in wpa_supplicant is to disable use of TLSv1.3 in EAP-TLS unless explicitly enabled in network configuration. The new CONFIG_EAP_TLSV1_3=y build parameter can be used to change this to enable TLSv1.3 by default (if supported by the TLS library). Signed-off-by: Jouni Malinen --- src/eap_peer/eap_tls_common.c | 12 +++++++----- wpa_supplicant/Android.mk | 3 +++ wpa_supplicant/Makefile | 3 +++ wpa_supplicant/defconfig | 3 +++ 4 files changed, 16 insertions(+), 5 deletions(-) diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c index c1837db06..5fb894501 100644 --- a/src/eap_peer/eap_tls_common.c +++ b/src/eap_peer/eap_tls_common.c @@ -192,18 +192,20 @@ static int eap_tls_params_from_conf(struct eap_sm *sm, * TLS v1.3 changes, so disable this by default for now. */ params->flags |= TLS_CONN_DISABLE_TLSv1_3; } +#ifndef EAP_TLSV1_3 if (data->eap_type == EAP_TYPE_TLS || data->eap_type == EAP_UNAUTH_TLS_TYPE || data->eap_type == EAP_WFA_UNAUTH_TLS_TYPE) { /* While the current EAP-TLS implementation is more or less - * complete for TLS v1.3, there has been no interoperability - * testing with other implementations, so disable for by default - * for now until there has been chance to confirm that no - * significant interoperability issues show up with TLS version - * update. + * complete for TLS v1.3, there has been only minimal + * interoperability testing with other implementations, so + * disable it by default for now until there has been chance to + * confirm that no significant interoperability issues show up + * with TLS version update. */ params->flags |= TLS_CONN_DISABLE_TLSv1_3; } +#endif /* EAP_TLSV1_3 */ if (phase2 && sm->use_machine_cred) { wpa_printf(MSG_DEBUG, "TLS: using machine config options"); eap_tls_params_from_conf2m(params, config); diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk index 7e597f396..e45357940 100644 --- a/wpa_supplicant/Android.mk +++ b/wpa_supplicant/Android.mk @@ -478,6 +478,9 @@ OBJS += src/eap_peer/eap_tls.c endif TLS_FUNCS=y CONFIG_IEEE8021X_EAPOL=y +ifdef CONFIG_EAP_TLSV1_3 +L_CFLAGS += -DEAP_TLSV1_3 +endif endif ifdef CONFIG_EAP_UNAUTH_TLS diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile index 4b4688931..dfa78bd45 100644 --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile @@ -485,6 +485,9 @@ OBJS += ../src/eap_peer/eap_tls.o endif TLS_FUNCS=y CONFIG_IEEE8021X_EAPOL=y +ifdef CONFIG_EAP_TLSV1_3 +CFLAGS += -DEAP_TLSV1_3 +endif endif ifdef CONFIG_EAP_UNAUTH_TLS diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig index a4719dbb5..ab3fba322 100644 --- a/wpa_supplicant/defconfig +++ b/wpa_supplicant/defconfig @@ -101,6 +101,9 @@ CONFIG_EAP_MSCHAPV2=y # EAP-TLS CONFIG_EAP_TLS=y +# Enable EAP-TLSv1.3 support by default (currently disabled unless explicitly +# enabled in network configuration) +#CONFIG_EAP_TLSV1_3=y # EAL-PEAP CONFIG_EAP_PEAP=y