From: Michael Braun Date: Mon, 5 Oct 2015 14:14:25 +0000 (+0200) Subject: tests: Verify group encryption is set up for VLANs early X-Git-Tag: hostap_2_6~1581 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ee2b0d19f5b21591a1d9ea29314c2e3e82a1bb3e;p=thirdparty%2Fhostap.git tests: Verify group encryption is set up for VLANs early Check that there are no unencrypted frames when using hostapd with VLANs and WPA before the first station connects to the VLAN. Signed-off-by: Michael Braun --- diff --git a/tests/hwsim/test_ap_vlan.py b/tests/hwsim/test_ap_vlan.py index 822bf99ed..ef2532199 100644 --- a/tests/hwsim/test_ap_vlan.py +++ b/tests/hwsim/test_ap_vlan.py @@ -20,6 +20,8 @@ except ImportError: import hwsim_utils import hostapd from utils import iface_is_in_bridge, HwsimSkip +import os +from tshark import run_tshark def test_ap_vlan_open(dev, apdev): """AP VLAN with open network""" @@ -382,3 +384,84 @@ def test_ap_vlan_iface_cleanup_multibss(dev, apdev): hapd.request("DISABLE") finally: ap_vlan_iface_cleanup_multibss_cleanup() + +def test_ap_vlan_without_station(dev, apdev, p): + """AP VLAN with WPA2-PSK and no station""" + try: + subprocess.call(['brctl', 'addbr', 'brvlan1']) + subprocess.call(['brctl', 'setfd', 'brvlan1', '0']) + subprocess.call(['ifconfig', 'brvlan1', 'up']) + # use a passphrase wlantest does not know, so it cannot + # inject decrypted frames into pcap + params = hostapd.wpa2_params(ssid="test-vlan", + passphrase="12345678x") + params['dynamic_vlan'] = "1"; + params['vlan_file'] = 'hostapd.wlan3.vlan' + params['accept_mac_file'] = "hostapd.accept"; + hapd = hostapd.add_ap(apdev[0]['ifname'], params) + + # inject some traffic + sa = hapd.own_addr() + da = "ff:ff:ff:ff:ff:00" + hapd.request('DATA_TEST_CONFIG 1 ifname=brvlan1') + hapd.request('DATA_TEST_TX {} {} 0'.format(da, sa)) + hapd.request('DATA_TEST_CONFIG 0') + time.sleep(.1) + + dev[0].connect("test-vlan", psk="12345678x", scan_freq="2412") + + # inject some traffic + sa = hapd.own_addr() + da = "ff:ff:ff:ff:ff:01" + hapd.request('DATA_TEST_CONFIG 1 ifname=brvlan1') + hapd.request('DATA_TEST_TX {} {} 0'.format(da, sa)) + hapd.request('DATA_TEST_CONFIG 0') + + # let the AP send couple of Beacon frames + time.sleep(1) + out = run_tshark(os.path.join(p['logdir'], "hwsim0.pcapng"), + "wlan.da == ff:ff:ff:ff:ff:00", + ["wlan.fc.protected"]) + + if out is not None: + lines = out.splitlines() + if len(lines) < 1: + raise Exception("first frame not observed") + state = 1 + for l in lines: + is_protected = int(l, 16) + if is_protected != 1: + state = 0 + if state != 1: + raise Exception("Broadcast packets were not encrypted when no station was connected") + else: + raise Exception("first frame not observed") + + out = run_tshark(os.path.join(p['logdir'], "hwsim0.pcapng"), + "wlan.da == ff:ff:ff:ff:ff:01", + ["wlan.fc.protected"]) + + if out is not None: + lines = out.splitlines() + if len(lines) < 1: + raise Exception("second frame not observed") + state = 1 + for l in lines: + is_protected = int(l, 16) + if is_protected != 1: + state = 0 + if state != 1: + raise Exception("Broadcast packets were not encrypted when station was connected") + else: + raise Exception("second frame not observed") + + dev[0].request("DISCONNECT") + dev[0].wait_disconnected() + + finally: + subprocess.call(['ip', 'link', 'set', 'dev', 'brvlan1', 'down']) + subprocess.call(['ip', 'link', 'set', 'dev', 'wlan3.1', 'down'], + stderr=open('/dev/null', 'w')) + subprocess.call(['brctl', 'delif', 'brvlan1', 'wlan3.1'], + stderr=open('/dev/null', 'w')) + subprocess.call(['brctl', 'delbr', 'brvlan1'])