EAP-TLS: Testing functionality to skip protected success indication

This server side testing functionality can be used to test EAP-TLSv1.3
peer behavior.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Jouni Malinen 2022-04-05 23:51:13 +03:00 committed by Jouni Malinen
parent 95fd54b862
commit 7114e56060
8 changed files with 30 additions and 0 deletions

View file

@ -4252,6 +4252,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
bss->oci_freq_override_fils_assoc = atoi(pos);
} else if (os_strcmp(buf, "oci_freq_override_wnm_sleep") == 0) {
bss->oci_freq_override_wnm_sleep = atoi(pos);
} else if (os_strcmp(buf, "eap_skip_prot_success") == 0) {
bss->eap_skip_prot_success = atoi(pos);
#endif /* CONFIG_TESTING_OPTIONS */
#ifdef CONFIG_SAE
} else if (os_strcmp(buf, "sae_password") == 0) {

View file

@ -331,6 +331,9 @@ struct hostapd_bss_config {
int eap_reauth_period;
int erp_send_reauth_start;
char *erp_domain;
#ifdef CONFIG_TESTING_OPTIONS
bool eap_skip_prot_success;
#endif /* CONFIG_TESTING_OPTIONS */
enum macaddr_acl {
ACCEPT_UNLESS_DENIED = 0,

View file

@ -222,6 +222,9 @@ static struct eap_config * authsrv_eap_config(struct hostapd_data *hapd)
cfg->server_id_len = 7;
}
cfg->erp = hapd->conf->eap_server_erp;
#ifdef CONFIG_TESTING_OPTIONS
cfg->skip_prot_success = hapd->conf->eap_skip_prot_success;
#endif /* CONFIG_TESTING_OPTIONS */
return cfg;
}

View file

@ -2448,6 +2448,9 @@ int ieee802_1x_init(struct hostapd_data *hapd)
conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len;
conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start;
conf.erp_domain = hapd->conf->erp_domain;
#ifdef CONFIG_TESTING_OPTIONS
conf.eap_skip_prot_success = hapd->conf->eap_skip_prot_success;
#endif /* CONFIG_TESTING_OPTIONS */
os_memset(&cb, 0, sizeof(cb));
cb.eapol_send = ieee802_1x_eapol_send;

View file

@ -258,6 +258,10 @@ struct eap_config {
unsigned int max_auth_rounds;
unsigned int max_auth_rounds_short;
#ifdef CONFIG_TESTING_OPTIONS
bool skip_prot_success;
#endif /* CONFIG_TESTING_OPTIONS */
};
struct eap_session_data {

View file

@ -94,6 +94,11 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
if (data->tls_out_limit > 100)
data->tls_out_limit -= 100;
}
#ifdef CONFIG_TESTING_OPTIONS
data->skip_prot_success = sm->cfg->skip_prot_success;
#endif /* CONFIG_TESTING_OPTIONS */
return 0;
}
@ -390,6 +395,13 @@ int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data)
break;
/* fallthrough */
case EAP_TYPE_TLS:
#ifdef CONFIG_TESTING_OPTIONS
if (data->skip_prot_success) {
wpa_printf(MSG_INFO,
"TESTING: Do not send protected success indication");
break;
}
#endif /* CONFIG_TESTING_OPTIONS */
wpa_printf(MSG_DEBUG,
"EAP-TLS: Send protected success indication (appl data 0x00)");

View file

@ -55,6 +55,8 @@ struct eap_ssl_data {
* tls_v13 - Whether TLS v1.3 or newer is used
*/
int tls_v13;
bool skip_prot_success; /* testing behavior only for TLS v1.3 */
};

View file

@ -23,6 +23,7 @@ struct eapol_auth_config {
size_t eap_req_id_text_len;
int erp_send_reauth_start;
char *erp_domain; /* a copy of this will be allocated */
bool eap_skip_prot_success;
/* Opaque context pointer to owner data for callback functions */
void *ctx;