EAP-TLS: Testing functionality to skip protected success indication

This server side testing functionality can be used to test EAP-TLSv1.3
peer behavior.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 442c757f14168d32475bf0585b294a9b40691380..0b6858a71bda344a7bdcf4b1a221ce4bcda8c9a4 100644 (file)
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -4252,6 +4252,8 @@ static int hostapd_config_fill(struct hostapd_config *conf,
                bss->oci_freq_override_fils_assoc = atoi(pos);
        } else if (os_strcmp(buf, "oci_freq_override_wnm_sleep") == 0) {
                bss->oci_freq_override_wnm_sleep = atoi(pos);
+       } else if (os_strcmp(buf, "eap_skip_prot_success") == 0) {
+               bss->eap_skip_prot_success = atoi(pos);
 #endif /* CONFIG_TESTING_OPTIONS */
 #ifdef CONFIG_SAE
        } else if (os_strcmp(buf, "sae_password") == 0) {

diff --git a/src/ap/ap_config.h b/src/ap/ap_config.h
index 4b37a5c59e87609c8a5704c9bf97e12e3e14602f..18d1af2e56576e7384b76bf64627de7cc9ca4a0a 100644 (file)
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
@@ -331,6 +331,9 @@ struct hostapd_bss_config {
        int eap_reauth_period;
        int erp_send_reauth_start;
        char *erp_domain;
+#ifdef CONFIG_TESTING_OPTIONS
+       bool eap_skip_prot_success;
+#endif /* CONFIG_TESTING_OPTIONS */
 
        enum macaddr_acl {
                ACCEPT_UNLESS_DENIED = 0,

diff --git a/src/ap/authsrv.c b/src/ap/authsrv.c
index 8e12daf40a46c1d17c042c91281d477639970a19..35df5980370334ade723390f94a3465376b7abc7 100644 (file)
--- a/src/ap/authsrv.c
+++ b/src/ap/authsrv.c
@@ -222,6 +222,9 @@ static struct eap_config * authsrv_eap_config(struct hostapd_data *hapd)
                cfg->server_id_len = 7;
        }
        cfg->erp = hapd->conf->eap_server_erp;
+#ifdef CONFIG_TESTING_OPTIONS
+       cfg->skip_prot_success = hapd->conf->eap_skip_prot_success;
+#endif /* CONFIG_TESTING_OPTIONS */
 
        return cfg;
 }

diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index 753c88335da73599ac1ba656360423d1c5c57973..fb5e92060b62be08c6c97e2872de4e753ca0ed11 100644 (file)
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -2448,6 +2448,9 @@ int ieee802_1x_init(struct hostapd_data *hapd)
        conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len;
        conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start;
        conf.erp_domain = hapd->conf->erp_domain;
+#ifdef CONFIG_TESTING_OPTIONS
+       conf.eap_skip_prot_success = hapd->conf->eap_skip_prot_success;
+#endif /* CONFIG_TESTING_OPTIONS */
 
        os_memset(&cb, 0, sizeof(cb));
        cb.eapol_send = ieee802_1x_eapol_send;

diff --git a/src/eap_server/eap.h b/src/eap_server/eap.h
index 61032cc016bcbd586f70699b6b883ee73d0dac9a..f1d3a9c9922d122c62d5f7db8d2774d28e6f21c7 100644 (file)
--- a/src/eap_server/eap.h
+++ b/src/eap_server/eap.h
@@ -258,6 +258,10 @@ struct eap_config {
 
        unsigned int max_auth_rounds;
        unsigned int max_auth_rounds_short;
+
+#ifdef CONFIG_TESTING_OPTIONS
+       bool skip_prot_success;
+#endif /* CONFIG_TESTING_OPTIONS */
 };
 
 struct eap_session_data {

diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
index 52e501904c2aa4df51e732c87b58970add59fe8d..717af2e89b71b2ef928eb0085bc6a8a266fb66dd 100644 (file)
--- a/src/eap_server/eap_server_tls_common.c
+++ b/src/eap_server/eap_server_tls_common.c
@@ -94,6 +94,11 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
                if (data->tls_out_limit > 100)
                        data->tls_out_limit -= 100;
        }
+
+#ifdef CONFIG_TESTING_OPTIONS
+       data->skip_prot_success = sm->cfg->skip_prot_success;
+#endif /* CONFIG_TESTING_OPTIONS */
+
        return 0;
 }
 
@@ -390,6 +395,13 @@ int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data)
                                break;
                        /* fallthrough */
                case EAP_TYPE_TLS:
+#ifdef CONFIG_TESTING_OPTIONS
+                       if (data->skip_prot_success) {
+                               wpa_printf(MSG_INFO,
+                                          "TESTING: Do not send protected success indication");
+                               break;
+                       }
+#endif /* CONFIG_TESTING_OPTIONS */
                        wpa_printf(MSG_DEBUG,
                                   "EAP-TLS: Send protected success indication (appl data 0x00)");
 

diff --git a/src/eap_server/eap_tls_common.h b/src/eap_server/eap_tls_common.h
index b0723a1fa492cafee461da39c1ed9b68c8f7ee9c..ad28c796267256b47a0b925a0d5fbdddb0df49e9 100644 (file)
--- a/src/eap_server/eap_tls_common.h
+++ b/src/eap_server/eap_tls_common.h
@@ -55,6 +55,8 @@ struct eap_ssl_data {
         * tls_v13 - Whether TLS v1.3 or newer is used
         */
        int tls_v13;
+
+       bool skip_prot_success; /* testing behavior only for TLS v1.3 */
 };
 
 

diff --git a/src/eapol_auth/eapol_auth_sm.h b/src/eapol_auth/eapol_auth_sm.h
index 5fe89c64b3a35dae2878a6818b8e8050ab53f721..61b7039d6b3178c0057c461b783e3bd89e2bca92 100644 (file)
--- a/src/eapol_auth/eapol_auth_sm.h
+++ b/src/eapol_auth/eapol_auth_sm.h
@@ -23,6 +23,7 @@ struct eapol_auth_config {
        size_t eap_req_id_text_len;
        int erp_send_reauth_start;
        char *erp_domain; /* a copy of this will be allocated */
+       bool eap_skip_prot_success;
 
        /* Opaque context pointer to owner data for callback functions */
        void *ctx;