EAP-TLS: Allow TLSv1.3 support to be enabled with build config

The default behavior in wpa_supplicant is to disable use of TLSv1.3 in EAP-TLS unless explicitly enabled in network configuration. The new CONFIG_EAP_TLSV1_3=y build parameter can be used to change this to enable TLSv1.3 by default (if supported by the TLS library). Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-06 16:13:22 +03:00 · 2022-04-06 16:13:22 +03:00 · 0482251a6d
commit 0482251a6d
parent 202842b8b3
4 changed files with 16 additions and 5 deletions
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@ -192,18 +192,20 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
 		 * TLS v1.3 changes, so disable this by default for now. */
 		params->flags |= TLS_CONN_DISABLE_TLSv1_3;
 	}
+#ifndef EAP_TLSV1_3
 	if (data->eap_type == EAP_TYPE_TLS ||
 	    data->eap_type == EAP_UNAUTH_TLS_TYPE ||
 	    data->eap_type == EAP_WFA_UNAUTH_TLS_TYPE) {
 		/* While the current EAP-TLS implementation is more or less
-		 * complete for TLS v1.3, there has been no interoperability
-		 * testing with other implementations, so disable for by default
-		 * for now until there has been chance to confirm that no
-		 * significant interoperability issues show up with TLS version
-		 * update.
+		 * complete for TLS v1.3, there has been only minimal
+		 * interoperability testing with other implementations, so
+		 * disable it by default for now until there has been chance to
+		 * confirm that no significant interoperability issues show up
+		 * with TLS version update.
 		 */
 		params->flags |= TLS_CONN_DISABLE_TLSv1_3;
 	}
+#endif /* EAP_TLSV1_3 */
 	if (phase2 && sm->use_machine_cred) {
 		wpa_printf(MSG_DEBUG, "TLS: using machine config options");
 		eap_tls_params_from_conf2m(params, config);
--- a/wpa_supplicant/Android.mk
+++ b/wpa_supplicant/Android.mk
@ -478,6 +478,9 @@ OBJS += src/eap_peer/eap_tls.c
 endif
 TLS_FUNCS=y
 CONFIG_IEEE8021X_EAPOL=y
+ifdef CONFIG_EAP_TLSV1_3
+L_CFLAGS += -DEAP_TLSV1_3
+endif
 endif

 ifdef CONFIG_EAP_UNAUTH_TLS
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@ -485,6 +485,9 @@ OBJS += ../src/eap_peer/eap_tls.o
 endif
 TLS_FUNCS=y
 CONFIG_IEEE8021X_EAPOL=y
+ifdef CONFIG_EAP_TLSV1_3
+CFLAGS += -DEAP_TLSV1_3
+endif
 endif

 ifdef CONFIG_EAP_UNAUTH_TLS
--- a/wpa_supplicant/defconfig
+++ b/wpa_supplicant/defconfig
@ -101,6 +101,9 @@ CONFIG_EAP_MSCHAPV2=y

 # EAP-TLS
 CONFIG_EAP_TLS=y
+# Enable EAP-TLSv1.3 support by default (currently disabled unless explicitly
+# enabled in network configuration)
+#CONFIG_EAP_TLSV1_3=y

 # EAL-PEAP
 CONFIG_EAP_PEAP=y