]> git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_erp.py
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tests: Fix ap_ft_reassoc_replay for case where wlantest has the PSK
[thirdparty/hostap.git] / tests / hwsim / test_erp.py
1 # EAP Re-authentication Protocol (ERP) tests
2 # Copyright (c) 2014-2019, Jouni Malinen <j@w1.fi>
3 #
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
6
7 import binascii
8 import logging
9 logger = logging.getLogger()
10 import os
11 import time
12
13 import hostapd
14 from utils import HwsimSkip, alloc_fail, fail_test, wait_fail_trigger
15 from test_ap_eap import int_eap_server_params
16 from test_ap_psk import find_wpas_process, read_process_memory, verify_not_present, get_key_locations
17
18 def check_erp_capa(dev):
19 capab = dev.get_capability("erp")
20 if not capab or 'ERP' not in capab:
21 raise HwsimSkip("ERP not supported in the build")
22
23 def test_erp_initiate_reauth_start(dev, apdev):
24 """Authenticator sending EAP-Initiate/Re-auth-Start, but ERP disabled on peer"""
25 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
26 params['erp_send_reauth_start'] = '1'
27 params['erp_domain'] = 'example.com'
28 hapd = hostapd.add_ap(apdev[0], params)
29
30 dev[0].request("ERP_FLUSH")
31 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
32 eap="PAX", identity="pax.user@example.com",
33 password_hex="0123456789abcdef0123456789abcdef",
34 scan_freq="2412")
35
36 def test_erp_enabled_on_server(dev, apdev):
37 """ERP enabled on internal EAP server, but disabled on peer"""
38 params = int_eap_server_params()
39 params['erp_send_reauth_start'] = '1'
40 params['erp_domain'] = 'example.com'
41 params['eap_server_erp'] = '1'
42 hapd = hostapd.add_ap(apdev[0], params)
43
44 dev[0].request("ERP_FLUSH")
45 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
46 eap="PAX", identity="pax.user@example.com",
47 password_hex="0123456789abcdef0123456789abcdef",
48 scan_freq="2412")
49
50 def test_erp(dev, apdev):
51 """ERP enabled on server and peer"""
52 check_erp_capa(dev[0])
53 params = int_eap_server_params()
54 params['erp_send_reauth_start'] = '1'
55 params['erp_domain'] = 'example.com'
56 params['eap_server_erp'] = '1'
57 params['disable_pmksa_caching'] = '1'
58 hapd = hostapd.add_ap(apdev[0], params)
59
60 dev[0].request("ERP_FLUSH")
61 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
62 eap="PSK", identity="psk.user@example.com",
63 password_hex="0123456789abcdef0123456789abcdef",
64 erp="1", scan_freq="2412")
65 for i in range(3):
66 dev[0].request("DISCONNECT")
67 dev[0].wait_disconnected(timeout=15)
68 dev[0].request("RECONNECT")
69 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
70 if ev is None:
71 raise Exception("EAP success timed out")
72 if "EAP re-authentication completed successfully" not in ev:
73 raise Exception("Did not use ERP")
74 dev[0].wait_connected(timeout=15, error="Reconnection timed out")
75
76 def test_erp_server_no_match(dev, apdev):
77 """ERP enabled on server and peer, but server has no key match"""
78 check_erp_capa(dev[0])
79 params = int_eap_server_params()
80 params['erp_send_reauth_start'] = '1'
81 params['erp_domain'] = 'example.com'
82 params['eap_server_erp'] = '1'
83 params['disable_pmksa_caching'] = '1'
84 hapd = hostapd.add_ap(apdev[0], params)
85
86 dev[0].request("ERP_FLUSH")
87 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
88 eap="PSK", identity="psk.user@example.com",
89 password_hex="0123456789abcdef0123456789abcdef",
90 erp="1", scan_freq="2412")
91 dev[0].request("DISCONNECT")
92 dev[0].wait_disconnected(timeout=15)
93 hapd.request("ERP_FLUSH")
94 dev[0].request("RECONNECT")
95 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
96 "CTRL-EVENT-EAP-FAILURE"], timeout=15)
97 if ev is None:
98 raise Exception("EAP result timed out")
99 if "CTRL-EVENT-EAP-SUCCESS" in ev:
100 raise Exception("Unexpected EAP success")
101 dev[0].request("DISCONNECT")
102 dev[0].select_network(id)
103 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
104 if ev is None:
105 raise Exception("EAP success timed out")
106 if "EAP re-authentication completed successfully" in ev:
107 raise Exception("Unexpected use of ERP")
108 dev[0].wait_connected(timeout=15, error="Reconnection timed out")
109
110 def start_erp_as(erp_domain="example.com", msk_dump=None, tls13=False,
111 eap_user_file="auth_serv/eap_user.conf"):
112 params = {"driver": "none",
113 "interface": "as-erp",
114 "radius_server_clients": "auth_serv/radius_clients.conf",
115 "radius_server_auth_port": '18128',
116 "eap_server": "1",
117 "eap_user_file": eap_user_file,
118 "ca_cert": "auth_serv/ca.pem",
119 "server_cert": "auth_serv/server.pem",
120 "private_key": "auth_serv/server.key",
121 "eap_sim_db": "unix:/tmp/hlr_auc_gw.sock",
122 "dh_file": "auth_serv/dh.conf",
123 "pac_opaque_encr_key": "000102030405060708090a0b0c0d0e0f",
124 "eap_fast_a_id": "101112131415161718191a1b1c1d1e1f",
125 "eap_fast_a_id_info": "test server",
126 "eap_server_erp": "1",
127 "erp_domain": erp_domain}
128 if msk_dump:
129 params["dump_msk_file"] = msk_dump
130 if tls13:
131 params["tls_flags"] = "[ENABLE-TLSv1.3]"
132 apdev = {'ifname': 'as-erp'}
133 return hostapd.add_ap(apdev, params, driver="none")
134
135 def test_erp_radius(dev, apdev):
136 """ERP enabled on RADIUS server and peer"""
137 check_erp_capa(dev[0])
138 start_erp_as()
139 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
140 params['auth_server_port'] = "18128"
141 params['erp_send_reauth_start'] = '1'
142 params['erp_domain'] = 'example.com'
143 params['disable_pmksa_caching'] = '1'
144 hapd = hostapd.add_ap(apdev[0], params)
145
146 dev[0].request("ERP_FLUSH")
147 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
148 eap="PSK", identity="psk.user@example.com",
149 password_hex="0123456789abcdef0123456789abcdef",
150 erp="1", scan_freq="2412")
151 for i in range(3):
152 dev[0].request("DISCONNECT")
153 dev[0].wait_disconnected(timeout=15)
154 dev[0].request("RECONNECT")
155 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
156 if ev is None:
157 raise Exception("EAP success timed out")
158 if "EAP re-authentication completed successfully" not in ev:
159 raise Exception("Did not use ERP")
160 dev[0].wait_connected(timeout=15, error="Reconnection timed out")
161
162 def test_erp_radius_no_wildcard_user(dev, apdev, params):
163 """ERP enabled on RADIUS server and peer and no wildcard user"""
164 check_erp_capa(dev[0])
165 user_file = os.path.join(params['logdir'],
166 'erp_radius_no_wildcard_user.eap_users')
167 with open(user_file, 'w') as f:
168 f.write('"user@example.com" PSK 0123456789abcdef0123456789abcdef\n')
169 start_erp_as(eap_user_file=user_file)
170 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
171 params['auth_server_port'] = "18128"
172 params['erp_send_reauth_start'] = '1'
173 params['erp_domain'] = 'example.com'
174 params['disable_pmksa_caching'] = '1'
175 hapd = hostapd.add_ap(apdev[0], params)
176
177 dev[0].request("ERP_FLUSH")
178 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
179 eap="PSK", identity="user@example.com",
180 password_hex="0123456789abcdef0123456789abcdef",
181 erp="1", scan_freq="2412")
182 for i in range(3):
183 dev[0].request("DISCONNECT")
184 dev[0].wait_disconnected(timeout=15)
185 dev[0].request("RECONNECT")
186 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
187 if ev is None:
188 raise Exception("EAP success timed out")
189 if "EAP re-authentication completed successfully" not in ev:
190 raise Exception("Did not use ERP")
191 dev[0].wait_connected(timeout=15, error="Reconnection timed out")
192
193 def test_erp_radius_ext(dev, apdev):
194 """ERP enabled on a separate RADIUS server and peer"""
195 as_hapd = hostapd.Hostapd("as")
196 try:
197 as_hapd.disable()
198 as_hapd.set("eap_server_erp", "1")
199 as_hapd.set("erp_domain", "erp.example.com")
200 as_hapd.enable()
201 run_erp_radius_ext(dev, apdev)
202 finally:
203 as_hapd.disable()
204 as_hapd.set("eap_server_erp", "0")
205 as_hapd.set("erp_domain", "")
206 as_hapd.enable()
207
208 def run_erp_radius_ext(dev, apdev):
209 check_erp_capa(dev[0])
210 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
211 params['erp_send_reauth_start'] = '1'
212 params['erp_domain'] = 'erp.example.com'
213 params['disable_pmksa_caching'] = '1'
214 hapd = hostapd.add_ap(apdev[0], params)
215
216 dev[0].request("ERP_FLUSH")
217 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
218 eap="PSK", identity="psk@erp.example.com",
219 password_hex="0123456789abcdef0123456789abcdef",
220 erp="1", scan_freq="2412")
221 for i in range(3):
222 dev[0].request("DISCONNECT")
223 dev[0].wait_disconnected(timeout=15)
224 dev[0].request("RECONNECT")
225 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
226 if ev is None:
227 raise Exception("EAP success timed out")
228 if "EAP re-authentication completed successfully" not in ev:
229 raise Exception("Did not use ERP")
230 dev[0].wait_connected(timeout=15, error="Reconnection timed out")
231
232 def erp_test(dev, hapd, reauth=False, **kwargs):
233 res = dev.get_capability("eap")
234 if kwargs['eap'] not in res:
235 logger.info("Skip ERP test with %s due to missing support" % kwargs['eap'])
236 return
237 hapd.dump_monitor()
238 dev.dump_monitor()
239 dev.request("ERP_FLUSH")
240 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP", erp="1",
241 scan_freq="2412", **kwargs)
242 dev.request("DISCONNECT")
243 dev.wait_disconnected(timeout=15)
244 dev.dump_monitor()
245 hapd.dump_monitor()
246
247 if reauth:
248 dev.request("ERP_FLUSH")
249 dev.request("RECONNECT")
250 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
251 if ev is None:
252 raise Exception("EAP success timed out")
253 if "EAP re-authentication completed successfully" in ev:
254 raise Exception("Used ERP unexpectedly")
255 dev.wait_connected(timeout=15, error="Reconnection timed out")
256 dev.request("DISCONNECT")
257 dev.wait_disconnected(timeout=15)
258 dev.dump_monitor()
259 hapd.dump_monitor()
260
261 dev.request("RECONNECT")
262 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
263 if ev is None:
264 raise Exception("EAP success timed out")
265 if "EAP re-authentication completed successfully" not in ev:
266 raise Exception("Did not use ERP")
267 dev.wait_connected(timeout=15, error="Reconnection timed out")
268 ev = hapd.wait_event(["AP-STA-CONNECTED"], timeout=5)
269 if ev is None:
270 raise Exception("No connection event received from hostapd")
271 dev.request("DISCONNECT")
272
273 def test_erp_radius_eap_methods(dev, apdev):
274 """ERP enabled on RADIUS server and peer"""
275 check_erp_capa(dev[0])
276 eap_methods = dev[0].get_capability("eap")
277 start_erp_as()
278 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
279 params['auth_server_port'] = "18128"
280 params['erp_send_reauth_start'] = '1'
281 params['erp_domain'] = 'example.com'
282 params['disable_pmksa_caching'] = '1'
283 hapd = hostapd.add_ap(apdev[0], params)
284
285 erp_test(dev[0], hapd, eap="AKA", identity="0232010000000000@example.com",
286 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
287 erp_test(dev[0], hapd, reauth=True,
288 eap="AKA", identity="0232010000000000@example.com",
289 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
290 erp_test(dev[0], hapd, eap="AKA'", identity="6555444333222111@example.com",
291 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
292 erp_test(dev[0], hapd, reauth=True,
293 eap="AKA'", identity="6555444333222111@example.com",
294 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
295 erp_test(dev[0], hapd, eap="EKE", identity="erp-eke@example.com",
296 password="hello")
297 if "FAST" in eap_methods:
298 erp_test(dev[0], hapd, eap="FAST", identity="erp-fast@example.com",
299 password="password", ca_cert="auth_serv/ca.pem",
300 phase2="auth=GTC",
301 phase1="fast_provisioning=2",
302 pac_file="blob://fast_pac_auth_erp")
303 erp_test(dev[0], hapd, eap="GPSK", identity="erp-gpsk@example.com",
304 password="abcdefghijklmnop0123456789abcdef")
305 erp_test(dev[0], hapd, eap="IKEV2", identity="erp-ikev2@example.com",
306 password="password")
307 erp_test(dev[0], hapd, eap="PAX", identity="erp-pax@example.com",
308 password_hex="0123456789abcdef0123456789abcdef")
309 if "MSCHAPV2" in eap_methods:
310 erp_test(dev[0], hapd, eap="PEAP", identity="erp-peap@example.com",
311 password="password", ca_cert="auth_serv/ca.pem",
312 phase2="auth=MSCHAPV2")
313 erp_test(dev[0], hapd, eap="TEAP", identity="erp-teap@example.com",
314 password="password", ca_cert="auth_serv/ca.pem",
315 phase2="auth=MSCHAPV2", pac_file="blob://teap_pac")
316 erp_test(dev[0], hapd, eap="PSK", identity="erp-psk@example.com",
317 password_hex="0123456789abcdef0123456789abcdef")
318 if "PWD" in eap_methods:
319 erp_test(dev[0], hapd, eap="PWD", identity="erp-pwd@example.com",
320 password="secret password")
321 erp_test(dev[0], hapd, eap="SAKE", identity="erp-sake@example.com",
322 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
323 erp_test(dev[0], hapd, eap="SIM", identity="1232010000000000@example.com",
324 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
325 erp_test(dev[0], hapd, reauth=True,
326 eap="SIM", identity="1232010000000000@example.com",
327 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
328 erp_test(dev[0], hapd, eap="TLS", identity="erp-tls@example.com",
329 ca_cert="auth_serv/ca.pem", client_cert="auth_serv/user.pem",
330 private_key="auth_serv/user.key")
331 erp_test(dev[0], hapd, eap="TTLS", identity="erp-ttls@example.com",
332 password="password", ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
333
334 def test_erp_radius_eap_tls_v13(dev, apdev):
335 """ERP enabled on RADIUS server and peer using EAP-TLS v1.3"""
336 check_erp_capa(dev[0])
337 tls = dev[0].request("GET tls_library")
338 if "run=OpenSSL 1.1.1" not in tls:
339 raise HwsimSkip("No TLS v1.3 support in TLS library")
340
341 eap_methods = dev[0].get_capability("eap")
342 start_erp_as(tls13=True)
343 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
344 params['auth_server_port'] = "18128"
345 params['erp_send_reauth_start'] = '1'
346 params['erp_domain'] = 'example.com'
347 params['disable_pmksa_caching'] = '1'
348 hapd = hostapd.add_ap(apdev[0], params)
349
350 erp_test(dev[0], hapd, eap="TLS", identity="erp-tls@example.com",
351 ca_cert="auth_serv/ca.pem", client_cert="auth_serv/user.pem",
352 private_key="auth_serv/user.key",
353 phase1="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0")
354
355 def test_erp_key_lifetime_in_memory(dev, apdev, params):
356 """ERP and key lifetime in memory"""
357 check_erp_capa(dev[0])
358 p = int_eap_server_params()
359 p['erp_send_reauth_start'] = '1'
360 p['erp_domain'] = 'example.com'
361 p['eap_server_erp'] = '1'
362 p['disable_pmksa_caching'] = '1'
363 hapd = hostapd.add_ap(apdev[0], p)
364 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
365
366 pid = find_wpas_process(dev[0])
367
368 dev[0].request("ERP_FLUSH")
369 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
370 identity="pap-secret@example.com", password=password,
371 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
372 erp="1", scan_freq="2412")
373
374 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
375 # event has been delivered, so verify that wpa_supplicant has returned to
376 # eloop before reading process memory.
377 time.sleep(1)
378 dev[0].ping()
379 password = password.encode()
380 buf = read_process_memory(pid, password)
381
382 dev[0].request("DISCONNECT")
383 dev[0].wait_disconnected(timeout=15)
384
385 dev[0].relog()
386 msk = None
387 emsk = None
388 rRK = None
389 rIK = None
390 pmk = None
391 ptk = None
392 gtk = None
393 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
394 for l in f.readlines():
395 if "EAP-TTLS: Derived key - hexdump" in l:
396 val = l.strip().split(':')[3].replace(' ', '')
397 msk = binascii.unhexlify(val)
398 if "EAP-TTLS: Derived EMSK - hexdump" in l:
399 val = l.strip().split(':')[3].replace(' ', '')
400 emsk = binascii.unhexlify(val)
401 if "EAP: ERP rRK - hexdump" in l:
402 val = l.strip().split(':')[3].replace(' ', '')
403 rRK = binascii.unhexlify(val)
404 if "EAP: ERP rIK - hexdump" in l:
405 val = l.strip().split(':')[3].replace(' ', '')
406 rIK = binascii.unhexlify(val)
407 if "WPA: PMK - hexdump" in l:
408 val = l.strip().split(':')[3].replace(' ', '')
409 pmk = binascii.unhexlify(val)
410 if "WPA: PTK - hexdump" in l:
411 val = l.strip().split(':')[3].replace(' ', '')
412 ptk = binascii.unhexlify(val)
413 if "WPA: Group Key - hexdump" in l:
414 val = l.strip().split(':')[3].replace(' ', '')
415 gtk = binascii.unhexlify(val)
416 if not msk or not emsk or not rIK or not rRK or not pmk or not ptk or not gtk:
417 raise Exception("Could not find keys from debug log")
418 if len(gtk) != 16:
419 raise Exception("Unexpected GTK length")
420
421 kck = ptk[0:16]
422 kek = ptk[16:32]
423 tk = ptk[32:48]
424
425 fname = os.path.join(params['logdir'],
426 'erp_key_lifetime_in_memory.memctx-')
427
428 logger.info("Checking keys in memory while associated")
429 get_key_locations(buf, password, "Password")
430 get_key_locations(buf, pmk, "PMK")
431 get_key_locations(buf, msk, "MSK")
432 get_key_locations(buf, emsk, "EMSK")
433 get_key_locations(buf, rRK, "rRK")
434 get_key_locations(buf, rIK, "rIK")
435 if password not in buf:
436 raise HwsimSkip("Password not found while associated")
437 if pmk not in buf:
438 raise HwsimSkip("PMK not found while associated")
439 if kck not in buf:
440 raise Exception("KCK not found while associated")
441 if kek not in buf:
442 raise Exception("KEK not found while associated")
443 #if tk in buf:
444 # raise Exception("TK found from memory")
445
446 logger.info("Checking keys in memory after disassociation")
447 buf = read_process_memory(pid, password)
448
449 # Note: Password is still present in network configuration
450 # Note: PMK is in EAP fast re-auth data
451
452 get_key_locations(buf, password, "Password")
453 get_key_locations(buf, pmk, "PMK")
454 get_key_locations(buf, msk, "MSK")
455 get_key_locations(buf, emsk, "EMSK")
456 get_key_locations(buf, rRK, "rRK")
457 get_key_locations(buf, rIK, "rIK")
458 verify_not_present(buf, kck, fname, "KCK")
459 verify_not_present(buf, kek, fname, "KEK")
460 verify_not_present(buf, tk, fname, "TK")
461 if gtk in buf:
462 get_key_locations(buf, gtk, "GTK")
463 verify_not_present(buf, gtk, fname, "GTK")
464
465 dev[0].request("RECONNECT")
466 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
467 if ev is None:
468 raise Exception("EAP success timed out")
469 if "EAP re-authentication completed successfully" not in ev:
470 raise Exception("Did not use ERP")
471 dev[0].wait_connected(timeout=15, error="Reconnection timed out")
472
473 dev[0].request("DISCONNECT")
474 dev[0].wait_disconnected(timeout=15)
475
476 dev[0].relog()
477 pmk = None
478 ptk = None
479 gtk = None
480 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
481 for l in f.readlines():
482 if "WPA: PMK - hexdump" in l:
483 val = l.strip().split(':')[3].replace(' ', '')
484 pmk = binascii.unhexlify(val)
485 if "WPA: PTK - hexdump" in l:
486 val = l.strip().split(':')[3].replace(' ', '')
487 ptk = binascii.unhexlify(val)
488 if "WPA: GTK in EAPOL-Key - hexdump" in l:
489 val = l.strip().split(':')[3].replace(' ', '')
490 gtk = binascii.unhexlify(val)
491 if not pmk or not ptk or not gtk:
492 raise Exception("Could not find keys from debug log")
493
494 kck = ptk[0:16]
495 kek = ptk[16:32]
496 tk = ptk[32:48]
497
498 logger.info("Checking keys in memory after ERP and disassociation")
499 buf = read_process_memory(pid, password)
500
501 # Note: Password is still present in network configuration
502
503 get_key_locations(buf, password, "Password")
504 get_key_locations(buf, pmk, "PMK")
505 get_key_locations(buf, msk, "MSK")
506 get_key_locations(buf, emsk, "EMSK")
507 get_key_locations(buf, rRK, "rRK")
508 get_key_locations(buf, rIK, "rIK")
509 verify_not_present(buf, kck, fname, "KCK")
510 verify_not_present(buf, kek, fname, "KEK")
511 verify_not_present(buf, tk, fname, "TK")
512 verify_not_present(buf, gtk, fname, "GTK")
513
514 dev[0].request("REMOVE_NETWORK all")
515
516 logger.info("Checking keys in memory after network profile removal")
517 buf = read_process_memory(pid, password)
518
519 # Note: rRK and rIK are still in memory
520
521 get_key_locations(buf, password, "Password")
522 get_key_locations(buf, pmk, "PMK")
523 get_key_locations(buf, msk, "MSK")
524 get_key_locations(buf, emsk, "EMSK")
525 get_key_locations(buf, rRK, "rRK")
526 get_key_locations(buf, rIK, "rIK")
527 verify_not_present(buf, password, fname, "password")
528 verify_not_present(buf, pmk, fname, "PMK")
529 verify_not_present(buf, kck, fname, "KCK")
530 verify_not_present(buf, kek, fname, "KEK")
531 verify_not_present(buf, tk, fname, "TK")
532 verify_not_present(buf, gtk, fname, "GTK")
533 verify_not_present(buf, msk, fname, "MSK")
534 verify_not_present(buf, emsk, fname, "EMSK")
535
536 dev[0].request("ERP_FLUSH")
537 logger.info("Checking keys in memory after ERP_FLUSH")
538 buf = read_process_memory(pid, password)
539 get_key_locations(buf, rRK, "rRK")
540 get_key_locations(buf, rIK, "rIK")
541 verify_not_present(buf, rRK, fname, "rRK")
542 verify_not_present(buf, rIK, fname, "rIK")
543
544 def test_erp_anonymous_identity(dev, apdev):
545 """ERP and anonymous identity"""
546 check_erp_capa(dev[0])
547 params = int_eap_server_params()
548 params['erp_send_reauth_start'] = '1'
549 params['erp_domain'] = 'example.com'
550 params['eap_server_erp'] = '1'
551 params['disable_pmksa_caching'] = '1'
552 hapd = hostapd.add_ap(apdev[0], params)
553
554 dev[0].request("ERP_FLUSH")
555 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
556 identity="erp-ttls",
557 anonymous_identity="anonymous@example.com",
558 password="password",
559 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
560 erp="1", scan_freq="2412")
561 for i in range(3):
562 dev[0].request("DISCONNECT")
563 dev[0].wait_disconnected(timeout=15)
564 dev[0].request("RECONNECT")
565 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
566 if ev is None:
567 raise Exception("EAP success timed out")
568 if "EAP re-authentication completed successfully" not in ev:
569 raise Exception("Did not use ERP")
570 dev[0].wait_connected(timeout=15, error="Reconnection timed out")
571
572 def test_erp_home_realm_oom(dev, apdev):
573 """ERP and home realm OOM"""
574 check_erp_capa(dev[0])
575 params = int_eap_server_params()
576 params['erp_send_reauth_start'] = '1'
577 params['erp_domain'] = 'example.com'
578 params['eap_server_erp'] = '1'
579 params['disable_pmksa_caching'] = '1'
580 hapd = hostapd.add_ap(apdev[0], params)
581
582 for count in range(1, 3):
583 with alloc_fail(dev[0], count, "eap_get_realm"):
584 dev[0].request("ERP_FLUSH")
585 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
586 identity="erp-ttls@example.com",
587 anonymous_identity="anonymous@example.com",
588 password="password",
589 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
590 erp="1", scan_freq="2412", wait_connect=False)
591 dev[0].wait_connected(timeout=10)
592 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
593 dev[0].request("REMOVE_NETWORK all")
594 dev[0].wait_disconnected()
595
596 for count in range(1, 3):
597 with alloc_fail(dev[0], count, "eap_get_realm"):
598 dev[0].request("ERP_FLUSH")
599 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
600 identity="erp-ttls",
601 anonymous_identity="anonymous@example.com",
602 password="password",
603 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
604 erp="1", scan_freq="2412", wait_connect=False)
605 dev[0].wait_connected(timeout=10)
606 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
607 dev[0].request("REMOVE_NETWORK all")
608 dev[0].wait_disconnected()
609
610 for count in range(1, 3):
611 dev[0].request("ERP_FLUSH")
612 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
613 identity="erp-ttls@example.com",
614 anonymous_identity="anonymous@example.com",
615 password="password",
616 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
617 erp="1", scan_freq="2412", wait_connect=False)
618 dev[0].wait_connected(timeout=10)
619 if count > 1:
620 continue
621 with alloc_fail(dev[0], count, "eap_get_realm"):
622 dev[0].request("DISCONNECT")
623 dev[0].wait_disconnected(timeout=15)
624 dev[0].request("RECONNECT")
625 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
626 dev[0].request("REMOVE_NETWORK all")
627 dev[0].wait_disconnected()
628
629 def test_erp_local_errors(dev, apdev):
630 """ERP and local error cases"""
631 check_erp_capa(dev[0])
632 params = int_eap_server_params()
633 params['erp_send_reauth_start'] = '1'
634 params['erp_domain'] = 'example.com'
635 params['eap_server_erp'] = '1'
636 params['disable_pmksa_caching'] = '1'
637 hapd = hostapd.add_ap(apdev[0], params)
638
639 dev[0].request("ERP_FLUSH")
640 with alloc_fail(dev[0], 1, "eap_peer_erp_init"):
641 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
642 identity="erp-ttls@example.com",
643 anonymous_identity="anonymous@example.com",
644 password="password",
645 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
646 erp="1", scan_freq="2412")
647 dev[0].request("REMOVE_NETWORK all")
648 dev[0].wait_disconnected()
649
650 for count in range(1, 6):
651 dev[0].request("ERP_FLUSH")
652 with fail_test(dev[0], count, "hmac_sha256_kdf;eap_peer_erp_init"):
653 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
654 identity="erp-ttls@example.com",
655 anonymous_identity="anonymous@example.com",
656 password="password",
657 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
658 erp="1", scan_freq="2412")
659 dev[0].request("REMOVE_NETWORK all")
660 dev[0].wait_disconnected()
661
662 dev[0].request("ERP_FLUSH")
663 with alloc_fail(dev[0], 1, "eap_msg_alloc;eap_peer_erp_reauth_start"):
664 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
665 identity="erp-ttls@example.com",
666 anonymous_identity="anonymous@example.com",
667 password="password",
668 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
669 erp="1", scan_freq="2412")
670 dev[0].request("DISCONNECT")
671 dev[0].wait_disconnected(timeout=15)
672 dev[0].request("RECONNECT")
673 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
674 dev[0].request("REMOVE_NETWORK all")
675 dev[0].wait_disconnected()
676
677 dev[0].request("ERP_FLUSH")
678 with fail_test(dev[0], 1, "hmac_sha256;eap_peer_erp_reauth_start"):
679 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
680 identity="erp-ttls@example.com",
681 anonymous_identity="anonymous@example.com",
682 password="password",
683 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
684 erp="1", scan_freq="2412")
685 dev[0].request("DISCONNECT")
686 dev[0].wait_disconnected(timeout=15)
687 dev[0].request("RECONNECT")
688 wait_fail_trigger(dev[0], "GET_FAIL")
689 dev[0].request("REMOVE_NETWORK all")
690 dev[0].wait_disconnected()
691
692 dev[0].request("ERP_FLUSH")
693 with fail_test(dev[0], 1, "hmac_sha256;eap_peer_finish"):
694 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
695 identity="erp-ttls@example.com",
696 anonymous_identity="anonymous@example.com",
697 password="password",
698 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
699 erp="1", scan_freq="2412")
700 dev[0].request("DISCONNECT")
701 dev[0].wait_disconnected(timeout=15)
702 dev[0].request("RECONNECT")
703 wait_fail_trigger(dev[0], "GET_FAIL")
704 dev[0].request("REMOVE_NETWORK all")
705 dev[0].wait_disconnected()
706
707 dev[0].request("ERP_FLUSH")
708 with alloc_fail(dev[0], 1, "eap_peer_erp_init"):
709 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
710 identity="erp-ttls@example.com",
711 anonymous_identity="anonymous@example.com",
712 password="password",
713 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
714 erp="1", scan_freq="2412")
715 dev[0].request("DISCONNECT")
716 dev[0].wait_disconnected(timeout=15)
717
718 dev[0].request("ERP_FLUSH")
719 with alloc_fail(dev[0], 1, "eap_peer_finish"):
720 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
721 identity="erp-ttls@example.com",
722 anonymous_identity="anonymous@example.com",
723 password="password",
724 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
725 erp="1", scan_freq="2412")
726 dev[0].request("DISCONNECT")
727 dev[0].wait_disconnected(timeout=15)
728 dev[0].request("RECONNECT")
729 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
730 dev[0].request("REMOVE_NETWORK all")
731 dev[0].wait_disconnected()
732
733 dev[0].request("ERP_FLUSH")
734 with fail_test(dev[0], 1, "hmac_sha256_kdf;eap_peer_finish"):
735 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
736 identity="erp-ttls@example.com",
737 anonymous_identity="anonymous@example.com",
738 password="password",
739 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
740 erp="1", scan_freq="2412")
741 dev[0].request("DISCONNECT")
742 dev[0].wait_disconnected(timeout=15)
743 dev[0].request("RECONNECT")
744 wait_fail_trigger(dev[0], "GET_FAIL")
745 dev[0].request("REMOVE_NETWORK all")
746 dev[0].wait_disconnected()
Unnamed repository; edit this file 'description' to name the repository.