TLS testing: Allow hostapd to be used as a TLS testing tool

The internal TLS server implementation and RADIUS server implementation in hostapd can be configured to allow EAP clients to be tested to perform TLS validation steps correctly. This functionality is not included in the default build; CONFIG_TESTING_OPTIONS=y in hostapd/.config can be used to enable this. When enabled, the RADIUS server will configure special TLS test modes based on the received User-Name attribute value in this format: <user>@test-tls-<id>.<rest-of-realm>. For example, anonymous@test-tls-1.example.com. When this special format is used, TLS test modes are enabled. For other cases, the RADIUS server works normally. The following TLS test cases are enabled in this commit: 1 - break verify_data in the server Finished message 2 - break signed_params hash in ServerKeyExchange 3 - break Signature in ServerKeyExchange Correctly behaving TLS client must abort connection if any of these failures is detected and as such, shall not transmit continue the session. Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-02 00:43:59 +02:00 · 2014-03-02 00:43:59 +02:00 · 390b92913a
commit 390b92913a
parent 994afe3390
12 changed files with 150 additions and 0 deletions
--- a/src/eap_server/eap.h
+++ b/src/eap_server/eap.h
@ -110,6 +110,10 @@ struct eap_config {

 	const u8 *server_id;
 	size_t server_id_len;
+
+#ifdef CONFIG_TESTING_OPTIONS
+	u32 tls_test_flags;
+#endif /* CONFIG_TESTING_OPTIONS */
 };


--- a/src/eap_server/eap_i.h
+++ b/src/eap_server/eap_i.h
@ -191,6 +191,10 @@ struct eap_sm {

 	const u8 *server_id;
 	size_t server_id_len;
+
+#ifdef CONFIG_TESTING_OPTIONS
+	u32 tls_test_flags;
+#endif /* CONFIG_TESTING_OPTIONS */
 };

 int eap_user_get(struct eap_sm *sm, const u8 *identity, size_t identity_len,
--- a/src/eap_server/eap_server.c
+++ b/src/eap_server/eap_server.c
@ -1327,6 +1327,10 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
 	sm->server_id = conf->server_id;
 	sm->server_id_len = conf->server_id_len;

+#ifdef CONFIG_TESTING_OPTIONS
+	sm->tls_test_flags = conf->tls_test_flags;
+#endif /* CONFIG_TESTING_OPTIONS */
+
 	wpa_printf(MSG_DEBUG, "EAP: Server state machine created");

 	return sm;
--- a/src/eap_server/eap_server_tls_common.c
+++ b/src/eap_server/eap_server_tls_common.c
@ -63,6 +63,9 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,

 #ifdef CONFIG_TLS_INTERNAL
 	tls_connection_set_log_cb(data->conn, eap_server_tls_log_cb, sm);
+#ifdef CONFIG_TESTING_OPTIONS
+	tls_connection_set_test_flags(data->conn, sm->tls_test_flags);
+#endif /* CONFIG_TESTING_OPTIONS */
 #endif /* CONFIG_TLS_INTERNAL */

 	if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer)) {