wpa_supplicant/0001-add-sanity-tests-for-standalone-wpa_supplicant.patch
Davide Caratti f3c614c6af fix SAE and EAP_PWD vulnerabilities
CVE-2019-9494 (cache attack against SAE)
CVE-2019-9495 (cache attack against EAP-pwd)
CVE-2019-9496 (SAE confirm missing state validation in hostapd/AP)
CVE-2019-9497 (EAP-pwd server not checking for reflection attack)
CVE-2019-9498 (EAP-pwd server missing commit validation for scalar/element)
CVE-2019-9499 (EAP-pwd peer missing commit validation for scalar/element)

Signed-off-by: Davide Caratti <dcaratti@redhat.com>
2019-04-12 12:14:43 +02:00

344 lines
9.6 KiB
Diff

From c7e62303fb92f4608599a77ade315b9b5c9e161d Mon Sep 17 00:00:00 2001
Message-Id: <c7e62303fb92f4608599a77ade315b9b5c9e161d.1553704253.git.dcaratti@redhat.com>
From: Davide Caratti <dcaratti@redhat.com>
Date: Tue, 29 Jan 2019 19:01:59 +0100
Subject: [PATCH] add sanity tests for standalone wpa_supplicant
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
---
tests/tests.yml | 13 ++
tests/wpa_supplicant_standalone/Makefile | 63 ++++++
tests/wpa_supplicant_standalone/PURPOSE | 3 +
tests/wpa_supplicant_standalone/runtest.sh | 219 +++++++++++++++++++++
4 files changed, 298 insertions(+)
create mode 100644 tests/tests.yml
create mode 100644 tests/wpa_supplicant_standalone/Makefile
create mode 100644 tests/wpa_supplicant_standalone/PURPOSE
create mode 100755 tests/wpa_supplicant_standalone/runtest.sh
diff --git a/tests/tests.yml b/tests/tests.yml
new file mode 100644
index 0000000..bab9514
--- /dev/null
+++ b/tests/tests.yml
@@ -0,0 +1,13 @@
+---
+- hosts: localhost
+ roles:
+ - role: standard-test-beakerlib
+ tags:
+ - classic
+ tests:
+ - wpa_supplicant_standalone
+ required_packages:
+ - wpa_supplicant
+ - iproute
+ - iw
+ - util-linux
diff --git a/tests/wpa_supplicant_standalone/Makefile b/tests/wpa_supplicant_standalone/Makefile
new file mode 100644
index 0000000..c4bfe53
--- /dev/null
+++ b/tests/wpa_supplicant_standalone/Makefile
@@ -0,0 +1,63 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+# Makefile of /CoreOS/wpa_supplicant/Sanity/wpa_supplicant_standalone
+# Description: sanity test for wpa_supplicant
+# Author: Davide Caratti <dcaratti@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+# Copyright (c) 2019 Red Hat, Inc.
+#
+# This program is free software: you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation, either version 2 of
+# the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be
+# useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/wpa_supplicant/Sanity/wpa_supplicant_standalone
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+ ./runtest.sh
+
+build: $(BUILT_FILES)
+ test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+ rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+ @echo "Owner: Davide Caratti <dcaratti@redhat.com>" > $(METADATA)
+ @echo "Name: $(TEST)" >> $(METADATA)
+ @echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
+ @echo "Path: $(TEST_DIR)" >> $(METADATA)
+ @echo "Description: sanity test for wpa_supplicant" >> $(METADATA)
+ @echo "Type: Sanity" >> $(METADATA)
+ @echo "TestTime: 10m" >> $(METADATA)
+ @echo "RunFor: wpa_supplicant" >> $(METADATA)
+ @echo "Requires: util-linux iproute iw wpa_supplicant" >> $(METADATA)
+ @echo "Priority: Normal" >> $(METADATA)
+ @echo "License: GPLv2+" >> $(METADATA)
+ @echo "Confidential: no" >> $(METADATA)
+ @echo "Destructive: no" >> $(METADATA)
+ @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
+
+ rhts-lint $(METADATA)
diff --git a/tests/wpa_supplicant_standalone/PURPOSE b/tests/wpa_supplicant_standalone/PURPOSE
new file mode 100644
index 0000000..a183dc3
--- /dev/null
+++ b/tests/wpa_supplicant_standalone/PURPOSE
@@ -0,0 +1,3 @@
+PURPOSE of /CoreOS/wpa_supplicant/Sanity/wpa_supplicant_standalone
+Description: sanity test for wpa_supplicant
+Author: Davide Caratti <dcaratti@redhat.com>
diff --git a/tests/wpa_supplicant_standalone/runtest.sh b/tests/wpa_supplicant_standalone/runtest.sh
new file mode 100755
index 0000000..16390d8
--- /dev/null
+++ b/tests/wpa_supplicant_standalone/runtest.sh
@@ -0,0 +1,219 @@
+#!/bin/bash
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+# runtest.sh of /CoreOS/wpa_supplicant/Sanity/wpa_supplicant_standalone
+# Description: sanity test for wpa_supplicant
+# Author: Davide Caratti <dcaratti@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+# Copyright (c) 2019 Red Hat, Inc.
+#
+# This program is free software: you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation, either version 2 of
+# the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be
+# useful, but WITHOUT ANY WARRANTY; without even the implied
+# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+# PURPOSE. See the GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see http://www.gnu.org/licenses/.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/bin/rhts-environment.sh || exit 1
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="wpa_supplicant"
+
+MACSTA="00:00:0a:bb:e1:1a"
+IFACEAP="wlan0"
+IFACESTA="wlan1"
+
+open_ap() {
+ local SSID=${1:-notreallyassid}
+
+ cat >openap.conf <<-EOF
+ network={
+ frequency=2412
+ ssid="$SSID"
+ mode=2
+ key_mgmt=NONE
+ }
+ EOF
+ wpa_supplicant -ddd -Dnl80211 -i$IFACEAP -copenap.conf -B -fopenap.log -Pw1ap.pid
+}
+
+open_sta() {
+ local SSID=${1:-notreallyassid}
+
+ cat >opensta.conf <<-EOF
+ network={
+ ssid="$SSID"
+ key_mgmt=NONE
+ }
+ EOF
+ wpa_supplicant -ddd -Dnl80211 -i$IFACESTA -copensta.conf -B -fopensta.log -Pw1sta.pid
+}
+
+wpa2psk_ap() {
+ local SSID=${1:-notreallyassid}
+
+ cat >wpapskap.conf <<-EOF
+ network={
+ frequency=2437
+ ssid="$SSID"
+ mode=2
+ key_mgmt=WPA-PSK
+ pairwise=CCMP
+ group=CCMP
+ psk="hunter2?"
+ }
+ EOF
+ wpa_supplicant -ddd -Dnl80211 -i$IFACEAP -cwpapskap.conf -B -fwpapskap.log -Pw2ap.pid
+}
+
+wpa2psk_sta() {
+ local SSID=${1:-notreallyassid}
+
+ cat >wpapsksta.conf <<-EOF
+ network={
+ frequency=2437
+ ssid="$SSID"
+ proto=WPA
+ key_mgmt=WPA-PSK
+ pairwise=CCMP
+ group=CCMP
+ psk="hunter2?"
+ }
+ EOF
+ wpa_supplicant -ddd -Dnl80211 -i$IFACESTA -cwpapsksta.conf -B -fwpapsksta.log -Pw2sta.pid
+}
+
+kill_supplicants() {
+ local a=`cat w*.pid`
+ local iter=0
+
+ while [ ${#a} -gt 0 -a $iter -lt 10 ]; do
+ for a in $a; do
+ kill $a 1>/dev/null 2>&1
+ sleep 1
+ done
+ a=`cat w*.pid`
+ iter=$((iter+1))
+ done
+
+ ip link set dev $IFACEAP down
+ ip link set dev $IFACESTA down
+
+ if [ $iter -ge 10 -a ${#a} -gt 0 ]; then
+ return 1
+ else
+ return 0
+ fi
+}
+
+check_for_associated_sta()
+{
+
+ local assoc_found=0 assoc_missed=0
+
+ ip link set dev $IFACEAP up
+ while sleep 2; do
+ if iw dev $IFACEAP station dump | grep -i $MACSTA ; then
+ assoc_found=$((assoc_found+1))
+ rlLog "found $MACSTA in $IFACEAP associations ($assoc_found)"
+ else
+ if [ $assoc_found -gt 0 ]; then
+ rlLog "association disappeared after $assoc_found cycles"
+ return 1
+ fi
+ rlLog "didn't find association ($assoc_missed)"
+ assoc_missed=$((assoc_missed+1))
+ fi
+ if [ $assoc_missed -gt 5 ]; then
+ rlLog "timeout waiting for $MACSTA in $IFACEAP station dump"
+ return 1
+ fi
+ if [ $assoc_found -gt 5 ]; then
+ return 0
+ fi
+ done
+ rlLog "sleep failed!"
+ return 1
+}
+
+check_for_running_aps()
+{
+ local probe_ok=0 probe_missed=0
+
+ ip link set dev $IFACESTA up
+ while sleep 1; do
+ if iw dev $IFACESTA scan | grep "${1:-notreallyassid}"; then
+ probe_ok=$((probe_ok+1))
+ rlLog "$probe_ok probe received"
+ else
+ if [ $probe_ok -gt 0 ]; then
+ rlLog "probe failure after $probe_ok attempts"
+ return 1
+ fi
+ rlLog "missed probe response"
+ probe_missed=$((probe_missed+1))
+ fi
+ if [ $probe_missed -gt 5 ]; then
+ rlLog "timeout waiting for beacons"
+ return 1
+ fi
+ if [ $probe_ok -gt 5 ]; then
+ return 0
+ fi
+ done
+ rlLog "sleep failed!"
+ return 1
+}
+
+rlJournalStart
+ rlPhaseStartSetup
+ rlAssertRpm $PACKAGE
+ # avoid randomizing MAC for wlan0 and wlan1
+ rlRun "systemctl stop NetworkManager"
+ # allow scans
+ rlRun "systemctl stop wpa_supplicant"
+ rlRun "rfkill unblock wifi"
+ rlRun "modprobe mac80211_hwsim radio=2"
+ rlRun "ip link set dev $IFACESTA address $MACSTA"
+ rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
+ rlRun "pushd $TmpDir"
+ rlPhaseEnd
+
+ rlPhaseStartTest
+ # cleartext wifi
+ rlRun "kill_supplicants"
+ rlRun "open_ap test_OPEN"
+ rlRun "check_for_running_aps test_OPEN"
+ rlRun "open_sta test_OPEN"
+ rlRun "check_for_associated_sta test_OPEN"
+
+ # WPA2 personal
+ rlRun "kill_supplicants"
+ rlRun "wpa2psk_ap test_WPAPSK"
+ rlRun "check_for_running_aps test_WPAPSK"
+ rlRun "wpa2psk_sta test_WPAPSK"
+ rlRun "check_for_associated_sta test_WPAPSK"
+ rlPhaseEnd
+
+ rlPhaseStartCleanup
+ rlRun kill_supplicants
+ rlRun "popd"
+ rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
+ rlRun "modprobe -r mac80211_hwsim"
+ rlRun "systemctl restart wpa_supplicant"
+ rlRun "systemctl restart NetworkManager"
+ rlPhaseEnd
+ rlJournalPrintText
+rlJournalEnd
--
2.20.1