]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_erp.py
1 # EAP Re-authentication Protocol (ERP) tests
2 # Copyright (c) 2014-2019, Jouni Malinen <j@w1.fi>
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
9 logger
= logging
.getLogger()
14 from utils
import HwsimSkip
, alloc_fail
, fail_test
, wait_fail_trigger
15 from test_ap_eap
import int_eap_server_params
16 from test_ap_psk
import find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
18 def check_erp_capa(dev
):
19 capab
= dev
.get_capability("erp")
20 if not capab
or 'ERP' not in capab
:
21 raise HwsimSkip("ERP not supported in the build")
23 def test_erp_initiate_reauth_start(dev
, apdev
):
24 """Authenticator sending EAP-Initiate/Re-auth-Start, but ERP disabled on peer"""
25 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
26 params
['erp_send_reauth_start'] = '1'
27 params
['erp_domain'] = 'example.com'
28 hapd
= hostapd
.add_ap(apdev
[0], params
)
30 dev
[0].request("ERP_FLUSH")
31 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
32 eap
="PAX", identity
="pax.user@example.com",
33 password_hex
="0123456789abcdef0123456789abcdef",
36 def test_erp_enabled_on_server(dev
, apdev
):
37 """ERP enabled on internal EAP server, but disabled on peer"""
38 params
= int_eap_server_params()
39 params
['erp_send_reauth_start'] = '1'
40 params
['erp_domain'] = 'example.com'
41 params
['eap_server_erp'] = '1'
42 hapd
= hostapd
.add_ap(apdev
[0], params
)
44 dev
[0].request("ERP_FLUSH")
45 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
46 eap
="PAX", identity
="pax.user@example.com",
47 password_hex
="0123456789abcdef0123456789abcdef",
50 def test_erp(dev
, apdev
):
51 """ERP enabled on server and peer"""
52 check_erp_capa(dev
[0])
53 params
= int_eap_server_params()
54 params
['erp_send_reauth_start'] = '1'
55 params
['erp_domain'] = 'example.com'
56 params
['eap_server_erp'] = '1'
57 params
['disable_pmksa_caching'] = '1'
58 hapd
= hostapd
.add_ap(apdev
[0], params
)
60 dev
[0].request("ERP_FLUSH")
61 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
62 eap
="PSK", identity
="psk.user@example.com",
63 password_hex
="0123456789abcdef0123456789abcdef",
64 erp
="1", scan_freq
="2412")
66 dev
[0].request("DISCONNECT")
67 dev
[0].wait_disconnected(timeout
=15)
68 dev
[0].request("RECONNECT")
69 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
71 raise Exception("EAP success timed out")
72 if "EAP re-authentication completed successfully" not in ev
:
73 raise Exception("Did not use ERP")
74 dev
[0].wait_connected(timeout
=15, error
="Reconnection timed out")
76 def test_erp_server_no_match(dev
, apdev
):
77 """ERP enabled on server and peer, but server has no key match"""
78 check_erp_capa(dev
[0])
79 params
= int_eap_server_params()
80 params
['erp_send_reauth_start'] = '1'
81 params
['erp_domain'] = 'example.com'
82 params
['eap_server_erp'] = '1'
83 params
['disable_pmksa_caching'] = '1'
84 hapd
= hostapd
.add_ap(apdev
[0], params
)
86 dev
[0].request("ERP_FLUSH")
87 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
88 eap
="PSK", identity
="psk.user@example.com",
89 password_hex
="0123456789abcdef0123456789abcdef",
90 erp
="1", scan_freq
="2412")
91 dev
[0].request("DISCONNECT")
92 dev
[0].wait_disconnected(timeout
=15)
93 hapd
.request("ERP_FLUSH")
94 dev
[0].request("RECONNECT")
95 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
96 "CTRL-EVENT-EAP-FAILURE"], timeout
=15)
98 raise Exception("EAP result timed out")
99 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
100 raise Exception("Unexpected EAP success")
101 dev
[0].request("DISCONNECT")
102 dev
[0].select_network(id)
103 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
105 raise Exception("EAP success timed out")
106 if "EAP re-authentication completed successfully" in ev
:
107 raise Exception("Unexpected use of ERP")
108 dev
[0].wait_connected(timeout
=15, error
="Reconnection timed out")
110 def start_erp_as(erp_domain
="example.com", msk_dump
=None, tls13
=False,
111 eap_user_file
="auth_serv/eap_user.conf"):
112 params
= {"driver": "none",
113 "interface": "as-erp",
114 "radius_server_clients": "auth_serv/radius_clients.conf",
115 "radius_server_auth_port": '18128',
117 "eap_user_file": eap_user_file
,
118 "ca_cert": "auth_serv/ca.pem",
119 "server_cert": "auth_serv/server.pem",
120 "private_key": "auth_serv/server.key",
121 "eap_sim_db": "unix:/tmp/hlr_auc_gw.sock",
122 "dh_file": "auth_serv/dh.conf",
123 "pac_opaque_encr_key": "000102030405060708090a0b0c0d0e0f",
124 "eap_fast_a_id": "101112131415161718191a1b1c1d1e1f",
125 "eap_fast_a_id_info": "test server",
126 "eap_server_erp": "1",
127 "erp_domain": erp_domain
}
129 params
["dump_msk_file"] = msk_dump
131 params
["tls_flags"] = "[ENABLE-TLSv1.3]"
132 apdev
= {'ifname': 'as-erp'}
133 return hostapd
.add_ap(apdev
, params
, driver
="none")
135 def test_erp_radius(dev
, apdev
):
136 """ERP enabled on RADIUS server and peer"""
137 check_erp_capa(dev
[0])
139 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
140 params
['auth_server_port'] = "18128"
141 params
['erp_send_reauth_start'] = '1'
142 params
['erp_domain'] = 'example.com'
143 params
['disable_pmksa_caching'] = '1'
144 hapd
= hostapd
.add_ap(apdev
[0], params
)
146 dev
[0].request("ERP_FLUSH")
147 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
148 eap
="PSK", identity
="psk.user@example.com",
149 password_hex
="0123456789abcdef0123456789abcdef",
150 erp
="1", scan_freq
="2412")
152 dev
[0].request("DISCONNECT")
153 dev
[0].wait_disconnected(timeout
=15)
154 dev
[0].request("RECONNECT")
155 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
157 raise Exception("EAP success timed out")
158 if "EAP re-authentication completed successfully" not in ev
:
159 raise Exception("Did not use ERP")
160 dev
[0].wait_connected(timeout
=15, error
="Reconnection timed out")
162 def test_erp_radius_no_wildcard_user(dev
, apdev
, params
):
163 """ERP enabled on RADIUS server and peer and no wildcard user"""
164 check_erp_capa(dev
[0])
165 user_file
= os
.path
.join(params
['logdir'],
166 'erp_radius_no_wildcard_user.eap_users')
167 with
open(user_file
, 'w') as f
:
168 f
.write('"user@example.com" PSK 0123456789abcdef0123456789abcdef\n')
169 start_erp_as(eap_user_file
=user_file
)
170 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
171 params
['auth_server_port'] = "18128"
172 params
['erp_send_reauth_start'] = '1'
173 params
['erp_domain'] = 'example.com'
174 params
['disable_pmksa_caching'] = '1'
175 hapd
= hostapd
.add_ap(apdev
[0], params
)
177 dev
[0].request("ERP_FLUSH")
178 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
179 eap
="PSK", identity
="user@example.com",
180 password_hex
="0123456789abcdef0123456789abcdef",
181 erp
="1", scan_freq
="2412")
183 dev
[0].request("DISCONNECT")
184 dev
[0].wait_disconnected(timeout
=15)
185 dev
[0].request("RECONNECT")
186 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
188 raise Exception("EAP success timed out")
189 if "EAP re-authentication completed successfully" not in ev
:
190 raise Exception("Did not use ERP")
191 dev
[0].wait_connected(timeout
=15, error
="Reconnection timed out")
193 def test_erp_radius_ext(dev
, apdev
):
194 """ERP enabled on a separate RADIUS server and peer"""
195 as_hapd
= hostapd
.Hostapd("as")
198 as_hapd
.set("eap_server_erp", "1")
199 as_hapd
.set("erp_domain", "erp.example.com")
201 run_erp_radius_ext(dev
, apdev
)
204 as_hapd
.set("eap_server_erp", "0")
205 as_hapd
.set("erp_domain", "")
208 def run_erp_radius_ext(dev
, apdev
):
209 check_erp_capa(dev
[0])
210 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
211 params
['erp_send_reauth_start'] = '1'
212 params
['erp_domain'] = 'erp.example.com'
213 params
['disable_pmksa_caching'] = '1'
214 hapd
= hostapd
.add_ap(apdev
[0], params
)
216 dev
[0].request("ERP_FLUSH")
217 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
218 eap
="PSK", identity
="psk@erp.example.com",
219 password_hex
="0123456789abcdef0123456789abcdef",
220 erp
="1", scan_freq
="2412")
222 dev
[0].request("DISCONNECT")
223 dev
[0].wait_disconnected(timeout
=15)
224 dev
[0].request("RECONNECT")
225 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
227 raise Exception("EAP success timed out")
228 if "EAP re-authentication completed successfully" not in ev
:
229 raise Exception("Did not use ERP")
230 dev
[0].wait_connected(timeout
=15, error
="Reconnection timed out")
232 def erp_test(dev
, hapd
, reauth
=False, **kwargs
):
233 res
= dev
.get_capability("eap")
234 if kwargs
['eap'] not in res
:
235 logger
.info("Skip ERP test with %s due to missing support" % kwargs
['eap'])
239 dev
.request("ERP_FLUSH")
240 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP", erp
="1",
241 scan_freq
="2412", **kwargs
)
242 dev
.request("DISCONNECT")
243 dev
.wait_disconnected(timeout
=15)
248 dev
.request("ERP_FLUSH")
249 dev
.request("RECONNECT")
250 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
252 raise Exception("EAP success timed out")
253 if "EAP re-authentication completed successfully" in ev
:
254 raise Exception("Used ERP unexpectedly")
255 dev
.wait_connected(timeout
=15, error
="Reconnection timed out")
256 dev
.request("DISCONNECT")
257 dev
.wait_disconnected(timeout
=15)
261 dev
.request("RECONNECT")
262 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
264 raise Exception("EAP success timed out")
265 if "EAP re-authentication completed successfully" not in ev
:
266 raise Exception("Did not use ERP")
267 dev
.wait_connected(timeout
=15, error
="Reconnection timed out")
268 ev
= hapd
.wait_event(["AP-STA-CONNECTED"], timeout
=5)
270 raise Exception("No connection event received from hostapd")
271 dev
.request("DISCONNECT")
273 def test_erp_radius_eap_methods(dev
, apdev
):
274 """ERP enabled on RADIUS server and peer"""
275 check_erp_capa(dev
[0])
276 eap_methods
= dev
[0].get_capability("eap")
278 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
279 params
['auth_server_port'] = "18128"
280 params
['erp_send_reauth_start'] = '1'
281 params
['erp_domain'] = 'example.com'
282 params
['disable_pmksa_caching'] = '1'
283 hapd
= hostapd
.add_ap(apdev
[0], params
)
285 erp_test(dev
[0], hapd
, eap
="AKA", identity
="0232010000000000@example.com",
286 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
287 erp_test(dev
[0], hapd
, reauth
=True,
288 eap
="AKA", identity
="0232010000000000@example.com",
289 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
290 erp_test(dev
[0], hapd
, eap
="AKA'", identity
="6555444333222111@example.com",
291 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
292 erp_test(dev
[0], hapd
, reauth
=True,
293 eap
="AKA'", identity
="6555444333222111@example.com",
294 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
295 erp_test(dev
[0], hapd
, eap
="EKE", identity
="erp-eke@example.com",
297 if "FAST" in eap_methods
:
298 erp_test(dev
[0], hapd
, eap
="FAST", identity
="erp-fast@example.com",
299 password
="password", ca_cert
="auth_serv/ca.pem",
301 phase1
="fast_provisioning=2",
302 pac_file
="blob://fast_pac_auth_erp")
303 erp_test(dev
[0], hapd
, eap
="GPSK", identity
="erp-gpsk@example.com",
304 password
="abcdefghijklmnop0123456789abcdef")
305 erp_test(dev
[0], hapd
, eap
="IKEV2", identity
="erp-ikev2@example.com",
307 erp_test(dev
[0], hapd
, eap
="PAX", identity
="erp-pax@example.com",
308 password_hex
="0123456789abcdef0123456789abcdef")
309 if "MSCHAPV2" in eap_methods
:
310 erp_test(dev
[0], hapd
, eap
="PEAP", identity
="erp-peap@example.com",
311 password
="password", ca_cert
="auth_serv/ca.pem",
312 phase2
="auth=MSCHAPV2")
313 erp_test(dev
[0], hapd
, eap
="TEAP", identity
="erp-teap@example.com",
314 password
="password", ca_cert
="auth_serv/ca.pem",
315 phase2
="auth=MSCHAPV2", pac_file
="blob://teap_pac")
316 erp_test(dev
[0], hapd
, eap
="PSK", identity
="erp-psk@example.com",
317 password_hex
="0123456789abcdef0123456789abcdef")
318 if "PWD" in eap_methods
:
319 erp_test(dev
[0], hapd
, eap
="PWD", identity
="erp-pwd@example.com",
320 password
="secret password")
321 erp_test(dev
[0], hapd
, eap
="SAKE", identity
="erp-sake@example.com",
322 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
323 erp_test(dev
[0], hapd
, eap
="SIM", identity
="1232010000000000@example.com",
324 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
325 erp_test(dev
[0], hapd
, reauth
=True,
326 eap
="SIM", identity
="1232010000000000@example.com",
327 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
328 erp_test(dev
[0], hapd
, eap
="TLS", identity
="erp-tls@example.com",
329 ca_cert
="auth_serv/ca.pem", client_cert
="auth_serv/user.pem",
330 private_key
="auth_serv/user.key")
331 erp_test(dev
[0], hapd
, eap
="TTLS", identity
="erp-ttls@example.com",
332 password
="password", ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
334 def test_erp_radius_eap_tls_v13(dev
, apdev
):
335 """ERP enabled on RADIUS server and peer using EAP-TLS v1.3"""
336 check_erp_capa(dev
[0])
337 tls
= dev
[0].request("GET tls_library")
338 if "run=OpenSSL 1.1.1" not in tls
:
339 raise HwsimSkip("No TLS v1.3 support in TLS library")
341 eap_methods
= dev
[0].get_capability("eap")
342 start_erp_as(tls13
=True)
343 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
344 params
['auth_server_port'] = "18128"
345 params
['erp_send_reauth_start'] = '1'
346 params
['erp_domain'] = 'example.com'
347 params
['disable_pmksa_caching'] = '1'
348 hapd
= hostapd
.add_ap(apdev
[0], params
)
350 erp_test(dev
[0], hapd
, eap
="TLS", identity
="erp-tls@example.com",
351 ca_cert
="auth_serv/ca.pem", client_cert
="auth_serv/user.pem",
352 private_key
="auth_serv/user.key",
353 phase1
="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1 tls_disable_tlsv1_2=1 tls_disable_tlsv1_3=0")
355 def test_erp_key_lifetime_in_memory(dev
, apdev
, params
):
356 """ERP and key lifetime in memory"""
357 check_erp_capa(dev
[0])
358 p
= int_eap_server_params()
359 p
['erp_send_reauth_start'] = '1'
360 p
['erp_domain'] = 'example.com'
361 p
['eap_server_erp'] = '1'
362 p
['disable_pmksa_caching'] = '1'
363 hapd
= hostapd
.add_ap(apdev
[0], p
)
364 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
366 pid
= find_wpas_process(dev
[0])
368 dev
[0].request("ERP_FLUSH")
369 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
370 identity
="pap-secret@example.com", password
=password
,
371 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
372 erp
="1", scan_freq
="2412")
374 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
375 # event has been delivered, so verify that wpa_supplicant has returned to
376 # eloop before reading process memory.
379 password
= password
.encode()
380 buf
= read_process_memory(pid
, password
)
382 dev
[0].request("DISCONNECT")
383 dev
[0].wait_disconnected(timeout
=15)
393 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
394 for l
in f
.readlines():
395 if "EAP-TTLS: Derived key - hexdump" in l
:
396 val
= l
.strip().split(':')[3].replace(' ', '')
397 msk
= binascii
.unhexlify(val
)
398 if "EAP-TTLS: Derived EMSK - hexdump" in l
:
399 val
= l
.strip().split(':')[3].replace(' ', '')
400 emsk
= binascii
.unhexlify(val
)
401 if "EAP: ERP rRK - hexdump" in l
:
402 val
= l
.strip().split(':')[3].replace(' ', '')
403 rRK
= binascii
.unhexlify(val
)
404 if "EAP: ERP rIK - hexdump" in l
:
405 val
= l
.strip().split(':')[3].replace(' ', '')
406 rIK
= binascii
.unhexlify(val
)
407 if "WPA: PMK - hexdump" in l
:
408 val
= l
.strip().split(':')[3].replace(' ', '')
409 pmk
= binascii
.unhexlify(val
)
410 if "WPA: PTK - hexdump" in l
:
411 val
= l
.strip().split(':')[3].replace(' ', '')
412 ptk
= binascii
.unhexlify(val
)
413 if "WPA: Group Key - hexdump" in l
:
414 val
= l
.strip().split(':')[3].replace(' ', '')
415 gtk
= binascii
.unhexlify(val
)
416 if not msk
or not emsk
or not rIK
or not rRK
or not pmk
or not ptk
or not gtk
:
417 raise Exception("Could not find keys from debug log")
419 raise Exception("Unexpected GTK length")
425 fname
= os
.path
.join(params
['logdir'],
426 'erp_key_lifetime_in_memory.memctx-')
428 logger
.info("Checking keys in memory while associated")
429 get_key_locations(buf
, password
, "Password")
430 get_key_locations(buf
, pmk
, "PMK")
431 get_key_locations(buf
, msk
, "MSK")
432 get_key_locations(buf
, emsk
, "EMSK")
433 get_key_locations(buf
, rRK
, "rRK")
434 get_key_locations(buf
, rIK
, "rIK")
435 if password
not in buf
:
436 raise HwsimSkip("Password not found while associated")
438 raise HwsimSkip("PMK not found while associated")
440 raise Exception("KCK not found while associated")
442 raise Exception("KEK not found while associated")
444 # raise Exception("TK found from memory")
446 logger
.info("Checking keys in memory after disassociation")
447 buf
= read_process_memory(pid
, password
)
449 # Note: Password is still present in network configuration
450 # Note: PMK is in EAP fast re-auth data
452 get_key_locations(buf
, password
, "Password")
453 get_key_locations(buf
, pmk
, "PMK")
454 get_key_locations(buf
, msk
, "MSK")
455 get_key_locations(buf
, emsk
, "EMSK")
456 get_key_locations(buf
, rRK
, "rRK")
457 get_key_locations(buf
, rIK
, "rIK")
458 verify_not_present(buf
, kck
, fname
, "KCK")
459 verify_not_present(buf
, kek
, fname
, "KEK")
460 verify_not_present(buf
, tk
, fname
, "TK")
462 get_key_locations(buf
, gtk
, "GTK")
463 verify_not_present(buf
, gtk
, fname
, "GTK")
465 dev
[0].request("RECONNECT")
466 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
468 raise Exception("EAP success timed out")
469 if "EAP re-authentication completed successfully" not in ev
:
470 raise Exception("Did not use ERP")
471 dev
[0].wait_connected(timeout
=15, error
="Reconnection timed out")
473 dev
[0].request("DISCONNECT")
474 dev
[0].wait_disconnected(timeout
=15)
480 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
481 for l
in f
.readlines():
482 if "WPA: PMK - hexdump" in l
:
483 val
= l
.strip().split(':')[3].replace(' ', '')
484 pmk
= binascii
.unhexlify(val
)
485 if "WPA: PTK - hexdump" in l
:
486 val
= l
.strip().split(':')[3].replace(' ', '')
487 ptk
= binascii
.unhexlify(val
)
488 if "WPA: GTK in EAPOL-Key - hexdump" in l
:
489 val
= l
.strip().split(':')[3].replace(' ', '')
490 gtk
= binascii
.unhexlify(val
)
491 if not pmk
or not ptk
or not gtk
:
492 raise Exception("Could not find keys from debug log")
498 logger
.info("Checking keys in memory after ERP and disassociation")
499 buf
= read_process_memory(pid
, password
)
501 # Note: Password is still present in network configuration
503 get_key_locations(buf
, password
, "Password")
504 get_key_locations(buf
, pmk
, "PMK")
505 get_key_locations(buf
, msk
, "MSK")
506 get_key_locations(buf
, emsk
, "EMSK")
507 get_key_locations(buf
, rRK
, "rRK")
508 get_key_locations(buf
, rIK
, "rIK")
509 verify_not_present(buf
, kck
, fname
, "KCK")
510 verify_not_present(buf
, kek
, fname
, "KEK")
511 verify_not_present(buf
, tk
, fname
, "TK")
512 verify_not_present(buf
, gtk
, fname
, "GTK")
514 dev
[0].request("REMOVE_NETWORK all")
516 logger
.info("Checking keys in memory after network profile removal")
517 buf
= read_process_memory(pid
, password
)
519 # Note: rRK and rIK are still in memory
521 get_key_locations(buf
, password
, "Password")
522 get_key_locations(buf
, pmk
, "PMK")
523 get_key_locations(buf
, msk
, "MSK")
524 get_key_locations(buf
, emsk
, "EMSK")
525 get_key_locations(buf
, rRK
, "rRK")
526 get_key_locations(buf
, rIK
, "rIK")
527 verify_not_present(buf
, password
, fname
, "password")
528 verify_not_present(buf
, pmk
, fname
, "PMK")
529 verify_not_present(buf
, kck
, fname
, "KCK")
530 verify_not_present(buf
, kek
, fname
, "KEK")
531 verify_not_present(buf
, tk
, fname
, "TK")
532 verify_not_present(buf
, gtk
, fname
, "GTK")
533 verify_not_present(buf
, msk
, fname
, "MSK")
534 verify_not_present(buf
, emsk
, fname
, "EMSK")
536 dev
[0].request("ERP_FLUSH")
537 logger
.info("Checking keys in memory after ERP_FLUSH")
538 buf
= read_process_memory(pid
, password
)
539 get_key_locations(buf
, rRK
, "rRK")
540 get_key_locations(buf
, rIK
, "rIK")
541 verify_not_present(buf
, rRK
, fname
, "rRK")
542 verify_not_present(buf
, rIK
, fname
, "rIK")
544 def test_erp_anonymous_identity(dev
, apdev
):
545 """ERP and anonymous identity"""
546 check_erp_capa(dev
[0])
547 params
= int_eap_server_params()
548 params
['erp_send_reauth_start'] = '1'
549 params
['erp_domain'] = 'example.com'
550 params
['eap_server_erp'] = '1'
551 params
['disable_pmksa_caching'] = '1'
552 hapd
= hostapd
.add_ap(apdev
[0], params
)
554 dev
[0].request("ERP_FLUSH")
555 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
557 anonymous_identity
="anonymous@example.com",
559 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
560 erp
="1", scan_freq
="2412")
562 dev
[0].request("DISCONNECT")
563 dev
[0].wait_disconnected(timeout
=15)
564 dev
[0].request("RECONNECT")
565 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
567 raise Exception("EAP success timed out")
568 if "EAP re-authentication completed successfully" not in ev
:
569 raise Exception("Did not use ERP")
570 dev
[0].wait_connected(timeout
=15, error
="Reconnection timed out")
572 def test_erp_home_realm_oom(dev
, apdev
):
573 """ERP and home realm OOM"""
574 check_erp_capa(dev
[0])
575 params
= int_eap_server_params()
576 params
['erp_send_reauth_start'] = '1'
577 params
['erp_domain'] = 'example.com'
578 params
['eap_server_erp'] = '1'
579 params
['disable_pmksa_caching'] = '1'
580 hapd
= hostapd
.add_ap(apdev
[0], params
)
582 for count
in range(1, 3):
583 with
alloc_fail(dev
[0], count
, "eap_get_realm"):
584 dev
[0].request("ERP_FLUSH")
585 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
586 identity
="erp-ttls@example.com",
587 anonymous_identity
="anonymous@example.com",
589 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
590 erp
="1", scan_freq
="2412", wait_connect
=False)
591 dev
[0].wait_connected(timeout
=10)
592 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
593 dev
[0].request("REMOVE_NETWORK all")
594 dev
[0].wait_disconnected()
596 for count
in range(1, 3):
597 with
alloc_fail(dev
[0], count
, "eap_get_realm"):
598 dev
[0].request("ERP_FLUSH")
599 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
601 anonymous_identity
="anonymous@example.com",
603 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
604 erp
="1", scan_freq
="2412", wait_connect
=False)
605 dev
[0].wait_connected(timeout
=10)
606 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
607 dev
[0].request("REMOVE_NETWORK all")
608 dev
[0].wait_disconnected()
610 for count
in range(1, 3):
611 dev
[0].request("ERP_FLUSH")
612 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
613 identity
="erp-ttls@example.com",
614 anonymous_identity
="anonymous@example.com",
616 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
617 erp
="1", scan_freq
="2412", wait_connect
=False)
618 dev
[0].wait_connected(timeout
=10)
621 with
alloc_fail(dev
[0], count
, "eap_get_realm"):
622 dev
[0].request("DISCONNECT")
623 dev
[0].wait_disconnected(timeout
=15)
624 dev
[0].request("RECONNECT")
625 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
626 dev
[0].request("REMOVE_NETWORK all")
627 dev
[0].wait_disconnected()
629 def test_erp_local_errors(dev
, apdev
):
630 """ERP and local error cases"""
631 check_erp_capa(dev
[0])
632 params
= int_eap_server_params()
633 params
['erp_send_reauth_start'] = '1'
634 params
['erp_domain'] = 'example.com'
635 params
['eap_server_erp'] = '1'
636 params
['disable_pmksa_caching'] = '1'
637 hapd
= hostapd
.add_ap(apdev
[0], params
)
639 dev
[0].request("ERP_FLUSH")
640 with
alloc_fail(dev
[0], 1, "eap_peer_erp_init"):
641 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
642 identity
="erp-ttls@example.com",
643 anonymous_identity
="anonymous@example.com",
645 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
646 erp
="1", scan_freq
="2412")
647 dev
[0].request("REMOVE_NETWORK all")
648 dev
[0].wait_disconnected()
650 for count
in range(1, 6):
651 dev
[0].request("ERP_FLUSH")
652 with
fail_test(dev
[0], count
, "hmac_sha256_kdf;eap_peer_erp_init"):
653 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
654 identity
="erp-ttls@example.com",
655 anonymous_identity
="anonymous@example.com",
657 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
658 erp
="1", scan_freq
="2412")
659 dev
[0].request("REMOVE_NETWORK all")
660 dev
[0].wait_disconnected()
662 dev
[0].request("ERP_FLUSH")
663 with
alloc_fail(dev
[0], 1, "eap_msg_alloc;eap_peer_erp_reauth_start"):
664 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
665 identity
="erp-ttls@example.com",
666 anonymous_identity
="anonymous@example.com",
668 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
669 erp
="1", scan_freq
="2412")
670 dev
[0].request("DISCONNECT")
671 dev
[0].wait_disconnected(timeout
=15)
672 dev
[0].request("RECONNECT")
673 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
674 dev
[0].request("REMOVE_NETWORK all")
675 dev
[0].wait_disconnected()
677 dev
[0].request("ERP_FLUSH")
678 with
fail_test(dev
[0], 1, "hmac_sha256;eap_peer_erp_reauth_start"):
679 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
680 identity
="erp-ttls@example.com",
681 anonymous_identity
="anonymous@example.com",
683 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
684 erp
="1", scan_freq
="2412")
685 dev
[0].request("DISCONNECT")
686 dev
[0].wait_disconnected(timeout
=15)
687 dev
[0].request("RECONNECT")
688 wait_fail_trigger(dev
[0], "GET_FAIL")
689 dev
[0].request("REMOVE_NETWORK all")
690 dev
[0].wait_disconnected()
692 dev
[0].request("ERP_FLUSH")
693 with
fail_test(dev
[0], 1, "hmac_sha256;eap_peer_finish"):
694 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
695 identity
="erp-ttls@example.com",
696 anonymous_identity
="anonymous@example.com",
698 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
699 erp
="1", scan_freq
="2412")
700 dev
[0].request("DISCONNECT")
701 dev
[0].wait_disconnected(timeout
=15)
702 dev
[0].request("RECONNECT")
703 wait_fail_trigger(dev
[0], "GET_FAIL")
704 dev
[0].request("REMOVE_NETWORK all")
705 dev
[0].wait_disconnected()
707 dev
[0].request("ERP_FLUSH")
708 with
alloc_fail(dev
[0], 1, "eap_peer_erp_init"):
709 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
710 identity
="erp-ttls@example.com",
711 anonymous_identity
="anonymous@example.com",
713 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
714 erp
="1", scan_freq
="2412")
715 dev
[0].request("DISCONNECT")
716 dev
[0].wait_disconnected(timeout
=15)
718 dev
[0].request("ERP_FLUSH")
719 with
alloc_fail(dev
[0], 1, "eap_peer_finish"):
720 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
721 identity
="erp-ttls@example.com",
722 anonymous_identity
="anonymous@example.com",
724 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
725 erp
="1", scan_freq
="2412")
726 dev
[0].request("DISCONNECT")
727 dev
[0].wait_disconnected(timeout
=15)
728 dev
[0].request("RECONNECT")
729 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
730 dev
[0].request("REMOVE_NETWORK all")
731 dev
[0].wait_disconnected()
733 dev
[0].request("ERP_FLUSH")
734 with
fail_test(dev
[0], 1, "hmac_sha256_kdf;eap_peer_finish"):
735 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
736 identity
="erp-ttls@example.com",
737 anonymous_identity
="anonymous@example.com",
739 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
740 erp
="1", scan_freq
="2412")
741 dev
[0].request("DISCONNECT")
742 dev
[0].wait_disconnected(timeout
=15)
743 dev
[0].request("RECONNECT")
744 wait_fail_trigger(dev
[0], "GET_FAIL")
745 dev
[0].request("REMOVE_NETWORK all")
746 dev
[0].wait_disconnected()