aboutsummaryrefslogtreecommitdiffstats
path: root/src/eap_server
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2014-03-01 22:43:59 (GMT)
committerJouni Malinen <j@w1.fi>2014-03-09 16:47:09 (GMT)
commit390b92913a9a1b3a6aaf70e8b5971a7b7c76cabc (patch)
treef1133b51bd4457347248a0e126fa43dcbbe18d1d /src/eap_server
parent994afe3390695400ea63df5533c1dd9d8c2ccbd4 (diff)
downloadhostap-390b92913a9a1b3a6aaf70e8b5971a7b7c76cabc.zip
hostap-390b92913a9a1b3a6aaf70e8b5971a7b7c76cabc.tar.gz
hostap-390b92913a9a1b3a6aaf70e8b5971a7b7c76cabc.tar.bz2
TLS testing: Allow hostapd to be used as a TLS testing tool
The internal TLS server implementation and RADIUS server implementation in hostapd can be configured to allow EAP clients to be tested to perform TLS validation steps correctly. This functionality is not included in the default build; CONFIG_TESTING_OPTIONS=y in hostapd/.config can be used to enable this. When enabled, the RADIUS server will configure special TLS test modes based on the received User-Name attribute value in this format: <user>@test-tls-<id>.<rest-of-realm>. For example, anonymous@test-tls-1.example.com. When this special format is used, TLS test modes are enabled. For other cases, the RADIUS server works normally. The following TLS test cases are enabled in this commit: 1 - break verify_data in the server Finished message 2 - break signed_params hash in ServerKeyExchange 3 - break Signature in ServerKeyExchange Correctly behaving TLS client must abort connection if any of these failures is detected and as such, shall not transmit continue the session. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'src/eap_server')
-rw-r--r--src/eap_server/eap.h4
-rw-r--r--src/eap_server/eap_i.h4
-rw-r--r--src/eap_server/eap_server.c4
-rw-r--r--src/eap_server/eap_server_tls_common.c3
4 files changed, 15 insertions, 0 deletions
diff --git a/src/eap_server/eap.h b/src/eap_server/eap.h
index f1eb468..698a5ac 100644
--- a/src/eap_server/eap.h
+++ b/src/eap_server/eap.h
@@ -110,6 +110,10 @@ struct eap_config {
const u8 *server_id;
size_t server_id_len;
+
+#ifdef CONFIG_TESTING_OPTIONS
+ u32 tls_test_flags;
+#endif /* CONFIG_TESTING_OPTIONS */
};
diff --git a/src/eap_server/eap_i.h b/src/eap_server/eap_i.h
index 0180aff..3a6802b 100644
--- a/src/eap_server/eap_i.h
+++ b/src/eap_server/eap_i.h
@@ -191,6 +191,10 @@ struct eap_sm {
const u8 *server_id;
size_t server_id_len;
+
+#ifdef CONFIG_TESTING_OPTIONS
+ u32 tls_test_flags;
+#endif /* CONFIG_TESTING_OPTIONS */
};
int eap_user_get(struct eap_sm *sm, const u8 *identity, size_t identity_len,
diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c
index 1999782..65d00dd 100644
--- a/src/eap_server/eap_server.c
+++ b/src/eap_server/eap_server.c
@@ -1327,6 +1327,10 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
sm->server_id = conf->server_id;
sm->server_id_len = conf->server_id_len;
+#ifdef CONFIG_TESTING_OPTIONS
+ sm->tls_test_flags = conf->tls_test_flags;
+#endif /* CONFIG_TESTING_OPTIONS */
+
wpa_printf(MSG_DEBUG, "EAP: Server state machine created");
return sm;
diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
index 0afb44b..01853e6 100644
--- a/src/eap_server/eap_server_tls_common.c
+++ b/src/eap_server/eap_server_tls_common.c
@@ -63,6 +63,9 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
#ifdef CONFIG_TLS_INTERNAL
tls_connection_set_log_cb(data->conn, eap_server_tls_log_cb, sm);
+#ifdef CONFIG_TESTING_OPTIONS
+ tls_connection_set_test_flags(data->conn, sm->tls_test_flags);
+#endif /* CONFIG_TESTING_OPTIONS */
#endif /* CONFIG_TLS_INTERNAL */
if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer)) {