Home Explore Help
Register Sign In
wareck
/
krackattacks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

tests: Add kernel BSS leak tests

Add two tests that check if the kernel BSS leak (when we get a deauth or
otherwise abandon an association attempt) is present in the kernel. This
is for a long-standing cfg80211/mac80211 issue that got fixed with the
kernel commit 'cfg80211/mac80211: fix BSS leaks when abandoning assoc
attempts'.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg 8 years ago
parent
52358b08f5
commit
c7c4600260
1 changed files with 57 additions and 0 deletions
Split View Show Diff Stats
  1. 57 0
      tests/hwsim/test_kernel.py

+ 57 - 0
tests/hwsim/test_kernel.py
View File 

@@ -0,0 +1,57 @@
 
+# Test a few kernel bugs
 
+# Copyright (c) 2016, Intel Deutschland GmbH
 
+#
 
+# Author: Johannes Berg <johannes.berg@intel.com>
 
+#
 
+# This software may be distributed under the terms of the BSD license.
 
+# See README for more details.
 
+
 
+import hostapd
 
+import binascii
 
+
 
+def _test_kernel_bss_leak(dev, apdev, deauth):
 
+    ssid = "test-bss-leak"
 
+    passphrase = 'qwertyuiop'
 
+    params = hostapd.wpa2_params(ssid=ssid, passphrase=passphrase)
 
+    hapd = hostapd.add_ap(apdev[0], params)
 
+    hapd.set("ext_mgmt_frame_handling", "1")
 
+    dev[0].connect(ssid, psk=passphrase, scan_freq="2412", wait_connect=False)
 
+    while True:
 
+        pkt = hapd.mgmt_rx()
 
+        if not pkt:
 
+            raise Exception("MGMT RX wait timed out for auth frame")
 
+        if pkt['fc'] & 0xc:
 
+            continue
 
+        if pkt['subtype'] == 0: # assoc request
 
+            if deauth:
 
+                # return a deauth immediately
 
+                hapd.mgmt_tx({
 
+                    'fc': 0xc0,
 
+                    'sa': pkt['da'],
 
+                    'da': pkt['sa'],
 
+                    'bssid': pkt['bssid'],
 
+                    'payload': '\x01\x00',
 
+                })
 
+            break
 
+        else:
 
+            hapd.request("MGMT_RX_PROCESS freq=2412 datarate=0 ssi_signal=-30 frame=%s" % (
 
+                         binascii.hexlify(pkt['frame']), ))
 
+    hapd.set("ext_mgmt_frame_handling", "0")
 
+
 
+    hapd.request("STOP_AP")
 
+
 
+    dev[0].request("REMOVE_NETWORK all")
 
+    dev[0].wait_disconnected()
 
+
 
+    dev[0].flush_scan_cache(freq=5180)
 
+    res = dev[0].request("SCAN_RESULTS")
 
+    if len(res.splitlines()) > 1:
 
+        raise Exception("BSS entry should no longer be around")
 
+
 
+def test_kernel_bss_leak_deauth(dev, apdev):
 
+    """cfg80211/mac80211 BSS leak on deauthentication"""
 
+    return _test_kernel_bss_leak(dev, apdev, deauth=True)
 
+
 
+def test_kernel_bss_leak_timeout(dev, apdev):
 
+    """cfg80211/mac80211 BSS leak on timeout"""
 
+    return _test_kernel_bss_leak(dev, apdev, deauth=False)