DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

EAP-TLS: Allow TLSv1.3 support to be enabled with build config

Browse source 
The default behavior in wpa_supplicant is to disable use of TLSv1.3 in
EAP-TLS unless explicitly enabled in network configuration. The new
CONFIG_EAP_TLSV1_3=y build parameter can be used to change this to
enable TLSv1.3 by default (if supported by the TLS library).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Jouni Malinen 2022-04-06 16:13:22 +03:00 committed by Jouni Malinen
parent 202842b8b3
commit 0482251a6d
4 changed files with 16 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/eap_peer/eap_tls_common.c
View file

@ -192,18 +192,20 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
* TLS v1.3 changes, so disable this by default for now. */ * TLS v1.3 changes, so disable this by default for now. */
params->flags |= TLS_CONN_DISABLE_TLSv1_3; params->flags |= TLS_CONN_DISABLE_TLSv1_3;
} }
#ifndef EAP_TLSV1_3
if (data->eap_type == EAP_TYPE_TLS || if (data->eap_type == EAP_TYPE_TLS ||
data->eap_type == EAP_UNAUTH_TLS_TYPE || data->eap_type == EAP_UNAUTH_TLS_TYPE ||
data->eap_type == EAP_WFA_UNAUTH_TLS_TYPE) { data->eap_type == EAP_WFA_UNAUTH_TLS_TYPE) {
/* While the current EAP-TLS implementation is more or less /* While the current EAP-TLS implementation is more or less
* complete for TLS v1.3, there has been no interoperability * complete for TLS v1.3, there has been only minimal
* testing with other implementations, so disable for by default * interoperability testing with other implementations, so
* for now until there has been chance to confirm that no * disable it by default for now until there has been chance to
* significant interoperability issues show up with TLS version * confirm that no significant interoperability issues show up
* update. * with TLS version update.
*/ */
params->flags |= TLS_CONN_DISABLE_TLSv1_3; params->flags |= TLS_CONN_DISABLE_TLSv1_3;
} }
#endif /* EAP_TLSV1_3 */
if (phase2 && sm->use_machine_cred) { if (phase2 && sm->use_machine_cred) {
wpa_printf(MSG_DEBUG, "TLS: using machine config options"); wpa_printf(MSG_DEBUG, "TLS: using machine config options");
eap_tls_params_from_conf2m(params, config); eap_tls_params_from_conf2m(params, config);

3
wpa_supplicant/Android.mk
View file

@ -478,6 +478,9 @@ OBJS += src/eap_peer/eap_tls.c
endif endif
TLS_FUNCS=y TLS_FUNCS=y
CONFIG_IEEE8021X_EAPOL=y CONFIG_IEEE8021X_EAPOL=y
ifdef CONFIG_EAP_TLSV1_3
L_CFLAGS += -DEAP_TLSV1_3
endif
endif endif
ifdef CONFIG_EAP_UNAUTH_TLS ifdef CONFIG_EAP_UNAUTH_TLS

3
wpa_supplicant/Makefile
View file

@ -485,6 +485,9 @@ OBJS += ../src/eap_peer/eap_tls.o
endif endif
TLS_FUNCS=y TLS_FUNCS=y
CONFIG_IEEE8021X_EAPOL=y CONFIG_IEEE8021X_EAPOL=y
ifdef CONFIG_EAP_TLSV1_3
CFLAGS += -DEAP_TLSV1_3
endif
endif endif
ifdef CONFIG_EAP_UNAUTH_TLS ifdef CONFIG_EAP_UNAUTH_TLS

3
wpa_supplicant/defconfig
View file

@ -101,6 +101,9 @@ CONFIG_EAP_MSCHAPV2=y
# EAP-TLS # EAP-TLS
CONFIG_EAP_TLS=y CONFIG_EAP_TLS=y
# Enable EAP-TLSv1.3 support by default (currently disabled unless explicitly
# enabled in network configuration)
#CONFIG_EAP_TLSV1_3=y
# EAL-PEAP # EAL-PEAP
CONFIG_EAP_PEAP=y CONFIG_EAP_PEAP=y