From 186ca4736d620cc1e132f361d81c9a45906c531d Mon Sep 17 00:00:00 2001 From: Michael Braun Date: Wed, 24 Feb 2016 12:53:24 +0100 Subject: [PATCH] tests: FT RRB internal delivery to non-WPA BSS A malicious station could try to do FT-over-DS with a non WPA-enabled BSS. When this BSS is located in the same hostapd instance, internal RRB delivery will be used and thus the FT Action Frame will be processed by a non-WPA enabled BSS. This processing used to crash hostapd as hapd->wpa_auth is NULL. This test implements such a malicious request for regression testing. Signed-off-by: Michael Braun --- tests/hwsim/test_ap_ft.py | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/tests/hwsim/test_ap_ft.py b/tests/hwsim/test_ap_ft.py index 28b35abb5..1fc10a5f6 100644 --- a/tests/hwsim/test_ap_ft.py +++ b/tests/hwsim/test_ap_ft.py @@ -1055,3 +1055,30 @@ def test_ap_ft_ptk_rekey_ap(dev, apdev): else: hapd = hapd1 hwsim_utils.test_connectivity(dev[0], hapd) + +def test_ap_ft_internal_rrb_check(dev, apdev): + """RRB internal delivery only to WPA enabled BSS""" + ssid = "test-ft" + passphrase="12345678" + + radius = hostapd.radius_params() + params = ft_params1(ssid=ssid, passphrase=passphrase) + params['wpa_key_mgmt'] = "FT-EAP" + params["ieee8021x"] = "1" + params = dict(radius.items() + params.items()) + hapd = hostapd.add_ap(apdev[0]['ifname'], params) + key_mgmt = hapd.get_config()['key_mgmt'] + if key_mgmt.split(' ')[0] != "FT-EAP": + raise Exception("Unexpected GET_CONFIG(key_mgmt): " + key_mgmt) + + hapd1 = hostapd.add_ap(apdev[1]['ifname'], { "ssid" : ssid }) + + # Connect to WPA enabled AP + dev[0].connect(ssid, key_mgmt="FT-EAP", proto="WPA2", ieee80211w="1", + eap="GPSK", identity="gpsk user", + password="abcdefghijklmnop0123456789abcdef", + scan_freq="2412") + + # Try over_ds roaming to non-WPA-enabled AP. + # If hostapd does not check hapd->wpa_auth internally, it will crash now. + dev[0].roam_over_ds(apdev[1]['bssid'], fail_test=True) -- 2.39.2