EAP-TLS: Allow TLSv1.3 support to be enabled with build config

The default behavior in wpa_supplicant is to disable use of TLSv1.3 in
EAP-TLS unless explicitly enabled in network configuration. The new
CONFIG_EAP_TLSV1_3=y build parameter can be used to change this to
enable TLSv1.3 by default (if supported by the TLS library).

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c
index c1837db06221e321de3dd788c764db42773355ac..5fb8945015fbeb67876454974a4af89db4bb8604 100644 (file)
--- a/src/eap_peer/eap_tls_common.c
+++ b/src/eap_peer/eap_tls_common.c
@@ -192,18 +192,20 @@ static int eap_tls_params_from_conf(struct eap_sm *sm,
                 * TLS v1.3 changes, so disable this by default for now. */
                params->flags |= TLS_CONN_DISABLE_TLSv1_3;
        }
+#ifndef EAP_TLSV1_3
        if (data->eap_type == EAP_TYPE_TLS ||
            data->eap_type == EAP_UNAUTH_TLS_TYPE ||
            data->eap_type == EAP_WFA_UNAUTH_TLS_TYPE) {
                /* While the current EAP-TLS implementation is more or less
-                * complete for TLS v1.3, there has been no interoperability
-                * testing with other implementations, so disable for by default
-                * for now until there has been chance to confirm that no
-                * significant interoperability issues show up with TLS version
-                * update.
+                * complete for TLS v1.3, there has been only minimal
+                * interoperability testing with other implementations, so
+                * disable it by default for now until there has been chance to
+                * confirm that no significant interoperability issues show up
+                * with TLS version update.
                 */
                params->flags |= TLS_CONN_DISABLE_TLSv1_3;
        }
+#endif /* EAP_TLSV1_3 */
        if (phase2 && sm->use_machine_cred) {
                wpa_printf(MSG_DEBUG, "TLS: using machine config options");
                eap_tls_params_from_conf2m(params, config);

diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk
index 7e597f396a079c221e461082010a73948ff2eaf2..e45357940ff5d354d7d769ef1014228b9079580f 100644 (file)
--- a/wpa_supplicant/Android.mk
+++ b/wpa_supplicant/Android.mk
@@ -478,6 +478,9 @@ OBJS += src/eap_peer/eap_tls.c
 endif
 TLS_FUNCS=y
 CONFIG_IEEE8021X_EAPOL=y
+ifdef CONFIG_EAP_TLSV1_3
+L_CFLAGS += -DEAP_TLSV1_3
+endif
 endif
 
 ifdef CONFIG_EAP_UNAUTH_TLS

diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
index 4b4688931b1d16c57eef8d56a4148f1f91f42f3c..dfa78bd45faa5ef7e16d52c00a08b95f0ceca75a 100644 (file)
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -485,6 +485,9 @@ OBJS += ../src/eap_peer/eap_tls.o
 endif
 TLS_FUNCS=y
 CONFIG_IEEE8021X_EAPOL=y
+ifdef CONFIG_EAP_TLSV1_3
+CFLAGS += -DEAP_TLSV1_3
+endif
 endif
 
 ifdef CONFIG_EAP_UNAUTH_TLS

diff --git a/wpa_supplicant/defconfig b/wpa_supplicant/defconfig
index a4719dbb543da91ea046f8b821d26e05d5111605..ab3fba3227dd458c40e50e02b54415761d33ae61 100644 (file)
--- a/wpa_supplicant/defconfig
+++ b/wpa_supplicant/defconfig
@@ -101,6 +101,9 @@ CONFIG_EAP_MSCHAPV2=y
 
 # EAP-TLS
 CONFIG_EAP_TLS=y
+# Enable EAP-TLSv1.3 support by default (currently disabled unless explicitly
+# enabled in network configuration)
+#CONFIG_EAP_TLSV1_3=y
 
 # EAL-PEAP
 CONFIG_EAP_PEAP=y