f3c614c6af
CVE-2019-9494 (cache attack against SAE) CVE-2019-9495 (cache attack against EAP-pwd) CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP) CVE-2019-9497 (EAP-pwd server not checking for reflection attack) CVE-2019-9498 (EAP-pwd server missing commit validation for scalar/element) CVE-2019-9499 (EAP-pwd peer missing commit validation for scalar/element) Signed-off-by: Davide Caratti <dcaratti@redhat.com>
344 lines
9.6 KiB
Diff
344 lines
9.6 KiB
Diff
From c7e62303fb92f4608599a77ade315b9b5c9e161d Mon Sep 17 00:00:00 2001
|
|
Message-Id: <c7e62303fb92f4608599a77ade315b9b5c9e161d.1553704253.git.dcaratti@redhat.com>
|
|
From: Davide Caratti <dcaratti@redhat.com>
|
|
Date: Tue, 29 Jan 2019 19:01:59 +0100
|
|
Subject: [PATCH] add sanity tests for standalone wpa_supplicant
|
|
|
|
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
|
|
---
|
|
tests/tests.yml | 13 ++
|
|
tests/wpa_supplicant_standalone/Makefile | 63 ++++++
|
|
tests/wpa_supplicant_standalone/PURPOSE | 3 +
|
|
tests/wpa_supplicant_standalone/runtest.sh | 219 +++++++++++++++++++++
|
|
4 files changed, 298 insertions(+)
|
|
create mode 100644 tests/tests.yml
|
|
create mode 100644 tests/wpa_supplicant_standalone/Makefile
|
|
create mode 100644 tests/wpa_supplicant_standalone/PURPOSE
|
|
create mode 100755 tests/wpa_supplicant_standalone/runtest.sh
|
|
|
|
diff --git a/tests/tests.yml b/tests/tests.yml
|
|
new file mode 100644
|
|
index 0000000..bab9514
|
|
--- /dev/null
|
|
+++ b/tests/tests.yml
|
|
@@ -0,0 +1,13 @@
|
|
+---
|
|
+- hosts: localhost
|
|
+ roles:
|
|
+ - role: standard-test-beakerlib
|
|
+ tags:
|
|
+ - classic
|
|
+ tests:
|
|
+ - wpa_supplicant_standalone
|
|
+ required_packages:
|
|
+ - wpa_supplicant
|
|
+ - iproute
|
|
+ - iw
|
|
+ - util-linux
|
|
diff --git a/tests/wpa_supplicant_standalone/Makefile b/tests/wpa_supplicant_standalone/Makefile
|
|
new file mode 100644
|
|
index 0000000..c4bfe53
|
|
--- /dev/null
|
|
+++ b/tests/wpa_supplicant_standalone/Makefile
|
|
@@ -0,0 +1,63 @@
|
|
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
+#
|
|
+# Makefile of /CoreOS/wpa_supplicant/Sanity/wpa_supplicant_standalone
|
|
+# Description: sanity test for wpa_supplicant
|
|
+# Author: Davide Caratti <dcaratti@redhat.com>
|
|
+#
|
|
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
+#
|
|
+# Copyright (c) 2019 Red Hat, Inc.
|
|
+#
|
|
+# This program is free software: you can redistribute it and/or
|
|
+# modify it under the terms of the GNU General Public License as
|
|
+# published by the Free Software Foundation, either version 2 of
|
|
+# the License, or (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be
|
|
+# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
+# PURPOSE. See the GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program. If not, see http://www.gnu.org/licenses/.
|
|
+#
|
|
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
+
|
|
+export TEST=/CoreOS/wpa_supplicant/Sanity/wpa_supplicant_standalone
|
|
+export TESTVERSION=1.0
|
|
+
|
|
+BUILT_FILES=
|
|
+
|
|
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
|
|
+
|
|
+.PHONY: all install download clean
|
|
+
|
|
+run: $(FILES) build
|
|
+ ./runtest.sh
|
|
+
|
|
+build: $(BUILT_FILES)
|
|
+ test -x runtest.sh || chmod a+x runtest.sh
|
|
+
|
|
+clean:
|
|
+ rm -f *~ $(BUILT_FILES)
|
|
+
|
|
+
|
|
+include /usr/share/rhts/lib/rhts-make.include
|
|
+
|
|
+$(METADATA): Makefile
|
|
+ @echo "Owner: Davide Caratti <dcaratti@redhat.com>" > $(METADATA)
|
|
+ @echo "Name: $(TEST)" >> $(METADATA)
|
|
+ @echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
|
|
+ @echo "Path: $(TEST_DIR)" >> $(METADATA)
|
|
+ @echo "Description: sanity test for wpa_supplicant" >> $(METADATA)
|
|
+ @echo "Type: Sanity" >> $(METADATA)
|
|
+ @echo "TestTime: 10m" >> $(METADATA)
|
|
+ @echo "RunFor: wpa_supplicant" >> $(METADATA)
|
|
+ @echo "Requires: util-linux iproute iw wpa_supplicant" >> $(METADATA)
|
|
+ @echo "Priority: Normal" >> $(METADATA)
|
|
+ @echo "License: GPLv2+" >> $(METADATA)
|
|
+ @echo "Confidential: no" >> $(METADATA)
|
|
+ @echo "Destructive: no" >> $(METADATA)
|
|
+ @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
|
|
+
|
|
+ rhts-lint $(METADATA)
|
|
diff --git a/tests/wpa_supplicant_standalone/PURPOSE b/tests/wpa_supplicant_standalone/PURPOSE
|
|
new file mode 100644
|
|
index 0000000..a183dc3
|
|
--- /dev/null
|
|
+++ b/tests/wpa_supplicant_standalone/PURPOSE
|
|
@@ -0,0 +1,3 @@
|
|
+PURPOSE of /CoreOS/wpa_supplicant/Sanity/wpa_supplicant_standalone
|
|
+Description: sanity test for wpa_supplicant
|
|
+Author: Davide Caratti <dcaratti@redhat.com>
|
|
diff --git a/tests/wpa_supplicant_standalone/runtest.sh b/tests/wpa_supplicant_standalone/runtest.sh
|
|
new file mode 100755
|
|
index 0000000..16390d8
|
|
--- /dev/null
|
|
+++ b/tests/wpa_supplicant_standalone/runtest.sh
|
|
@@ -0,0 +1,219 @@
|
|
+#!/bin/bash
|
|
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
|
|
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
+#
|
|
+# runtest.sh of /CoreOS/wpa_supplicant/Sanity/wpa_supplicant_standalone
|
|
+# Description: sanity test for wpa_supplicant
|
|
+# Author: Davide Caratti <dcaratti@redhat.com>
|
|
+#
|
|
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
+#
|
|
+# Copyright (c) 2019 Red Hat, Inc.
|
|
+#
|
|
+# This program is free software: you can redistribute it and/or
|
|
+# modify it under the terms of the GNU General Public License as
|
|
+# published by the Free Software Foundation, either version 2 of
|
|
+# the License, or (at your option) any later version.
|
|
+#
|
|
+# This program is distributed in the hope that it will be
|
|
+# useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
|
+# PURPOSE. See the GNU General Public License for more details.
|
|
+#
|
|
+# You should have received a copy of the GNU General Public License
|
|
+# along with this program. If not, see http://www.gnu.org/licenses/.
|
|
+#
|
|
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
+
|
|
+# Include Beaker environment
|
|
+. /usr/bin/rhts-environment.sh || exit 1
|
|
+. /usr/share/beakerlib/beakerlib.sh || exit 1
|
|
+
|
|
+PACKAGE="wpa_supplicant"
|
|
+
|
|
+MACSTA="00:00:0a:bb:e1:1a"
|
|
+IFACEAP="wlan0"
|
|
+IFACESTA="wlan1"
|
|
+
|
|
+open_ap() {
|
|
+ local SSID=${1:-notreallyassid}
|
|
+
|
|
+ cat >openap.conf <<-EOF
|
|
+ network={
|
|
+ frequency=2412
|
|
+ ssid="$SSID"
|
|
+ mode=2
|
|
+ key_mgmt=NONE
|
|
+ }
|
|
+ EOF
|
|
+ wpa_supplicant -ddd -Dnl80211 -i$IFACEAP -copenap.conf -B -fopenap.log -Pw1ap.pid
|
|
+}
|
|
+
|
|
+open_sta() {
|
|
+ local SSID=${1:-notreallyassid}
|
|
+
|
|
+ cat >opensta.conf <<-EOF
|
|
+ network={
|
|
+ ssid="$SSID"
|
|
+ key_mgmt=NONE
|
|
+ }
|
|
+ EOF
|
|
+ wpa_supplicant -ddd -Dnl80211 -i$IFACESTA -copensta.conf -B -fopensta.log -Pw1sta.pid
|
|
+}
|
|
+
|
|
+wpa2psk_ap() {
|
|
+ local SSID=${1:-notreallyassid}
|
|
+
|
|
+ cat >wpapskap.conf <<-EOF
|
|
+ network={
|
|
+ frequency=2437
|
|
+ ssid="$SSID"
|
|
+ mode=2
|
|
+ key_mgmt=WPA-PSK
|
|
+ pairwise=CCMP
|
|
+ group=CCMP
|
|
+ psk="hunter2?"
|
|
+ }
|
|
+ EOF
|
|
+ wpa_supplicant -ddd -Dnl80211 -i$IFACEAP -cwpapskap.conf -B -fwpapskap.log -Pw2ap.pid
|
|
+}
|
|
+
|
|
+wpa2psk_sta() {
|
|
+ local SSID=${1:-notreallyassid}
|
|
+
|
|
+ cat >wpapsksta.conf <<-EOF
|
|
+ network={
|
|
+ frequency=2437
|
|
+ ssid="$SSID"
|
|
+ proto=WPA
|
|
+ key_mgmt=WPA-PSK
|
|
+ pairwise=CCMP
|
|
+ group=CCMP
|
|
+ psk="hunter2?"
|
|
+ }
|
|
+ EOF
|
|
+ wpa_supplicant -ddd -Dnl80211 -i$IFACESTA -cwpapsksta.conf -B -fwpapsksta.log -Pw2sta.pid
|
|
+}
|
|
+
|
|
+kill_supplicants() {
|
|
+ local a=`cat w*.pid`
|
|
+ local iter=0
|
|
+
|
|
+ while [ ${#a} -gt 0 -a $iter -lt 10 ]; do
|
|
+ for a in $a; do
|
|
+ kill $a 1>/dev/null 2>&1
|
|
+ sleep 1
|
|
+ done
|
|
+ a=`cat w*.pid`
|
|
+ iter=$((iter+1))
|
|
+ done
|
|
+
|
|
+ ip link set dev $IFACEAP down
|
|
+ ip link set dev $IFACESTA down
|
|
+
|
|
+ if [ $iter -ge 10 -a ${#a} -gt 0 ]; then
|
|
+ return 1
|
|
+ else
|
|
+ return 0
|
|
+ fi
|
|
+}
|
|
+
|
|
+check_for_associated_sta()
|
|
+{
|
|
+
|
|
+ local assoc_found=0 assoc_missed=0
|
|
+
|
|
+ ip link set dev $IFACEAP up
|
|
+ while sleep 2; do
|
|
+ if iw dev $IFACEAP station dump | grep -i $MACSTA ; then
|
|
+ assoc_found=$((assoc_found+1))
|
|
+ rlLog "found $MACSTA in $IFACEAP associations ($assoc_found)"
|
|
+ else
|
|
+ if [ $assoc_found -gt 0 ]; then
|
|
+ rlLog "association disappeared after $assoc_found cycles"
|
|
+ return 1
|
|
+ fi
|
|
+ rlLog "didn't find association ($assoc_missed)"
|
|
+ assoc_missed=$((assoc_missed+1))
|
|
+ fi
|
|
+ if [ $assoc_missed -gt 5 ]; then
|
|
+ rlLog "timeout waiting for $MACSTA in $IFACEAP station dump"
|
|
+ return 1
|
|
+ fi
|
|
+ if [ $assoc_found -gt 5 ]; then
|
|
+ return 0
|
|
+ fi
|
|
+ done
|
|
+ rlLog "sleep failed!"
|
|
+ return 1
|
|
+}
|
|
+
|
|
+check_for_running_aps()
|
|
+{
|
|
+ local probe_ok=0 probe_missed=0
|
|
+
|
|
+ ip link set dev $IFACESTA up
|
|
+ while sleep 1; do
|
|
+ if iw dev $IFACESTA scan | grep "${1:-notreallyassid}"; then
|
|
+ probe_ok=$((probe_ok+1))
|
|
+ rlLog "$probe_ok probe received"
|
|
+ else
|
|
+ if [ $probe_ok -gt 0 ]; then
|
|
+ rlLog "probe failure after $probe_ok attempts"
|
|
+ return 1
|
|
+ fi
|
|
+ rlLog "missed probe response"
|
|
+ probe_missed=$((probe_missed+1))
|
|
+ fi
|
|
+ if [ $probe_missed -gt 5 ]; then
|
|
+ rlLog "timeout waiting for beacons"
|
|
+ return 1
|
|
+ fi
|
|
+ if [ $probe_ok -gt 5 ]; then
|
|
+ return 0
|
|
+ fi
|
|
+ done
|
|
+ rlLog "sleep failed!"
|
|
+ return 1
|
|
+}
|
|
+
|
|
+rlJournalStart
|
|
+ rlPhaseStartSetup
|
|
+ rlAssertRpm $PACKAGE
|
|
+ # avoid randomizing MAC for wlan0 and wlan1
|
|
+ rlRun "systemctl stop NetworkManager"
|
|
+ # allow scans
|
|
+ rlRun "systemctl stop wpa_supplicant"
|
|
+ rlRun "rfkill unblock wifi"
|
|
+ rlRun "modprobe mac80211_hwsim radio=2"
|
|
+ rlRun "ip link set dev $IFACESTA address $MACSTA"
|
|
+ rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
|
|
+ rlRun "pushd $TmpDir"
|
|
+ rlPhaseEnd
|
|
+
|
|
+ rlPhaseStartTest
|
|
+ # cleartext wifi
|
|
+ rlRun "kill_supplicants"
|
|
+ rlRun "open_ap test_OPEN"
|
|
+ rlRun "check_for_running_aps test_OPEN"
|
|
+ rlRun "open_sta test_OPEN"
|
|
+ rlRun "check_for_associated_sta test_OPEN"
|
|
+
|
|
+ # WPA2 personal
|
|
+ rlRun "kill_supplicants"
|
|
+ rlRun "wpa2psk_ap test_WPAPSK"
|
|
+ rlRun "check_for_running_aps test_WPAPSK"
|
|
+ rlRun "wpa2psk_sta test_WPAPSK"
|
|
+ rlRun "check_for_associated_sta test_WPAPSK"
|
|
+ rlPhaseEnd
|
|
+
|
|
+ rlPhaseStartCleanup
|
|
+ rlRun kill_supplicants
|
|
+ rlRun "popd"
|
|
+ rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
|
|
+ rlRun "modprobe -r mac80211_hwsim"
|
|
+ rlRun "systemctl restart wpa_supplicant"
|
|
+ rlRun "systemctl restart NetworkManager"
|
|
+ rlPhaseEnd
|
|
+ rlJournalPrintText
|
|
+rlJournalEnd
|
|
--
|
|
2.20.1
|
|
|