EAP-TLS: Testing functionality to skip protected success indication

This server side testing functionality can be used to test EAP-TLSv1.3 peer behavior. Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2022-04-05 23:51:13 +03:00 · 2022-04-05 23:51:13 +03:00 · 7114e56060
commit 7114e56060
parent 95fd54b862
8 changed files with 30 additions and 0 deletions
--- a/src/eap_server/eap.h
+++ b/src/eap_server/eap.h
@ -258,6 +258,10 @@ struct eap_config {

 	unsigned int max_auth_rounds;
 	unsigned int max_auth_rounds_short;
+
+#ifdef CONFIG_TESTING_OPTIONS
+	bool skip_prot_success;
+#endif /* CONFIG_TESTING_OPTIONS */
 };

 struct eap_session_data {
--- a/src/eap_server/eap_server_tls_common.c
+++ b/src/eap_server/eap_server_tls_common.c
@ -94,6 +94,11 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
 		if (data->tls_out_limit > 100)
 			data->tls_out_limit -= 100;
 	}
+
+#ifdef CONFIG_TESTING_OPTIONS
+	data->skip_prot_success = sm->cfg->skip_prot_success;
+#endif /* CONFIG_TESTING_OPTIONS */
+
 	return 0;
 }

@ -390,6 +395,13 @@ int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data)
 				break;
 			/* fallthrough */
 		case EAP_TYPE_TLS:
+#ifdef CONFIG_TESTING_OPTIONS
+			if (data->skip_prot_success) {
+				wpa_printf(MSG_INFO,
+					   "TESTING: Do not send protected success indication");
+				break;
+			}
+#endif /* CONFIG_TESTING_OPTIONS */
 			wpa_printf(MSG_DEBUG,
 				   "EAP-TLS: Send protected success indication (appl data 0x00)");

--- a/src/eap_server/eap_tls_common.h
+++ b/src/eap_server/eap_tls_common.h
@ -55,6 +55,8 @@ struct eap_ssl_data {
 	 * tls_v13 - Whether TLS v1.3 or newer is used
 	 */
 	int tls_v13;
+
+	bool skip_prot_success; /* testing behavior only for TLS v1.3 */
 };