]> git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_erp.py
projects / thirdparty / hostap.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tests: Comment out during-association TK-in-memory checks
[thirdparty/hostap.git] / tests / hwsim / test_erp.py
1 # EAP Re-authentication Protocol (ERP) tests
2 # Copyright (c) 2014-2015, Jouni Malinen <j@w1.fi>
3 #
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
6
7 import binascii
8 import logging
9 logger = logging.getLogger()
10 import os
11 import time
12
13 import hostapd
14 from utils import HwsimSkip, alloc_fail, fail_test, wait_fail_trigger
15 from test_ap_eap import int_eap_server_params
16 from test_ap_psk import find_wpas_process, read_process_memory, verify_not_present, get_key_locations
17
18 def check_erp_capa(dev):
19 capab = dev.get_capability("erp")
20 if not capab or 'ERP' not in capab:
21 raise HwsimSkip("ERP not supported in the build")
22
23 def test_erp_initiate_reauth_start(dev, apdev):
24 """Authenticator sending EAP-Initiate/Re-auth-Start, but ERP disabled on peer"""
25 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
26 params['erp_send_reauth_start'] = '1'
27 params['erp_domain'] = 'example.com'
28 hapd = hostapd.add_ap(apdev[0], params)
29
30 dev[0].request("ERP_FLUSH")
31 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
32 eap="PAX", identity="pax.user@example.com",
33 password_hex="0123456789abcdef0123456789abcdef",
34 scan_freq="2412")
35
36 def test_erp_enabled_on_server(dev, apdev):
37 """ERP enabled on internal EAP server, but disabled on peer"""
38 params = int_eap_server_params()
39 params['erp_send_reauth_start'] = '1'
40 params['erp_domain'] = 'example.com'
41 params['eap_server_erp'] = '1'
42 hapd = hostapd.add_ap(apdev[0], params)
43
44 dev[0].request("ERP_FLUSH")
45 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
46 eap="PAX", identity="pax.user@example.com",
47 password_hex="0123456789abcdef0123456789abcdef",
48 scan_freq="2412")
49
50 def test_erp(dev, apdev):
51 """ERP enabled on server and peer"""
52 check_erp_capa(dev[0])
53 params = int_eap_server_params()
54 params['erp_send_reauth_start'] = '1'
55 params['erp_domain'] = 'example.com'
56 params['eap_server_erp'] = '1'
57 params['disable_pmksa_caching'] = '1'
58 hapd = hostapd.add_ap(apdev[0], params)
59
60 dev[0].request("ERP_FLUSH")
61 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
62 eap="PSK", identity="psk.user@example.com",
63 password_hex="0123456789abcdef0123456789abcdef",
64 erp="1", scan_freq="2412")
65 for i in range(3):
66 dev[0].request("DISCONNECT")
67 dev[0].wait_disconnected(timeout=15)
68 dev[0].request("RECONNECT")
69 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
70 if ev is None:
71 raise Exception("EAP success timed out")
72 if "EAP re-authentication completed successfully" not in ev:
73 raise Exception("Did not use ERP")
74 dev[0].wait_connected(timeout=15, error="Reconnection timed out")
75
76 def test_erp_server_no_match(dev, apdev):
77 """ERP enabled on server and peer, but server has no key match"""
78 check_erp_capa(dev[0])
79 params = int_eap_server_params()
80 params['erp_send_reauth_start'] = '1'
81 params['erp_domain'] = 'example.com'
82 params['eap_server_erp'] = '1'
83 params['disable_pmksa_caching'] = '1'
84 hapd = hostapd.add_ap(apdev[0], params)
85
86 dev[0].request("ERP_FLUSH")
87 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
88 eap="PSK", identity="psk.user@example.com",
89 password_hex="0123456789abcdef0123456789abcdef",
90 erp="1", scan_freq="2412")
91 dev[0].request("DISCONNECT")
92 dev[0].wait_disconnected(timeout=15)
93 hapd.request("ERP_FLUSH")
94 dev[0].request("RECONNECT")
95 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
96 "CTRL-EVENT-EAP-FAILURE"], timeout=15)
97 if ev is None:
98 raise Exception("EAP result timed out")
99 if "CTRL-EVENT-EAP-SUCCESS" in ev:
100 raise Exception("Unexpected EAP success")
101 dev[0].request("DISCONNECT")
102 dev[0].select_network(id)
103 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
104 if ev is None:
105 raise Exception("EAP success timed out")
106 if "EAP re-authentication completed successfully" in ev:
107 raise Exception("Unexpected use of ERP")
108 dev[0].wait_connected(timeout=15, error="Reconnection timed out")
109
110 def start_erp_as(apdev, erp_domain="example.com", msk_dump=None):
111 params = { "ssid": "as", "beacon_int": "2000",
112 "radius_server_clients": "auth_serv/radius_clients.conf",
113 "radius_server_auth_port": '18128',
114 "eap_server": "1",
115 "eap_user_file": "auth_serv/eap_user.conf",
116 "ca_cert": "auth_serv/ca.pem",
117 "server_cert": "auth_serv/server.pem",
118 "private_key": "auth_serv/server.key",
119 "eap_sim_db": "unix:/tmp/hlr_auc_gw.sock",
120 "dh_file": "auth_serv/dh.conf",
121 "pac_opaque_encr_key": "000102030405060708090a0b0c0d0e0f",
122 "eap_fast_a_id": "101112131415161718191a1b1c1d1e1f",
123 "eap_fast_a_id_info": "test server",
124 "eap_server_erp": "1",
125 "erp_domain": erp_domain }
126 if msk_dump:
127 params["dump_msk_file"] = msk_dump
128 return hostapd.add_ap(apdev, params)
129
130 def test_erp_radius(dev, apdev):
131 """ERP enabled on RADIUS server and peer"""
132 check_erp_capa(dev[0])
133 start_erp_as(apdev[1])
134 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
135 params['auth_server_port'] = "18128"
136 params['erp_send_reauth_start'] = '1'
137 params['erp_domain'] = 'example.com'
138 params['disable_pmksa_caching'] = '1'
139 hapd = hostapd.add_ap(apdev[0], params)
140
141 dev[0].request("ERP_FLUSH")
142 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
143 eap="PSK", identity="psk.user@example.com",
144 password_hex="0123456789abcdef0123456789abcdef",
145 erp="1", scan_freq="2412")
146 for i in range(3):
147 dev[0].request("DISCONNECT")
148 dev[0].wait_disconnected(timeout=15)
149 dev[0].request("RECONNECT")
150 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
151 if ev is None:
152 raise Exception("EAP success timed out")
153 if "EAP re-authentication completed successfully" not in ev:
154 raise Exception("Did not use ERP")
155 dev[0].wait_connected(timeout=15, error="Reconnection timed out")
156
157 def erp_test(dev, hapd, **kwargs):
158 res = dev.get_capability("eap")
159 if kwargs['eap'] not in res:
160 logger.info("Skip ERP test with %s due to missing support" % kwargs['eap'])
161 return
162 hapd.dump_monitor()
163 dev.dump_monitor()
164 dev.request("ERP_FLUSH")
165 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP", erp="1",
166 scan_freq="2412", **kwargs)
167 dev.request("DISCONNECT")
168 dev.wait_disconnected(timeout=15)
169 hapd.dump_monitor()
170 dev.request("RECONNECT")
171 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
172 if ev is None:
173 raise Exception("EAP success timed out")
174 if "EAP re-authentication completed successfully" not in ev:
175 raise Exception("Did not use ERP")
176 dev.wait_connected(timeout=15, error="Reconnection timed out")
177 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
178 if ev is None:
179 raise Exception("No connection event received from hostapd")
180 dev.request("DISCONNECT")
181
182 def test_erp_radius_eap_methods(dev, apdev):
183 """ERP enabled on RADIUS server and peer"""
184 check_erp_capa(dev[0])
185 eap_methods = dev[0].get_capability("eap")
186 start_erp_as(apdev[1])
187 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
188 params['auth_server_port'] = "18128"
189 params['erp_send_reauth_start'] = '1'
190 params['erp_domain'] = 'example.com'
191 params['disable_pmksa_caching'] = '1'
192 hapd = hostapd.add_ap(apdev[0], params)
193
194 erp_test(dev[0], hapd, eap="AKA", identity="0232010000000000@example.com",
195 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
196 erp_test(dev[0], hapd, eap="AKA'", identity="6555444333222111@example.com",
197 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
198 erp_test(dev[0], hapd, eap="EKE", identity="erp-eke@example.com",
199 password="hello")
200 if "FAST" in eap_methods:
201 erp_test(dev[0], hapd, eap="FAST", identity="erp-fast@example.com",
202 password="password", ca_cert="auth_serv/ca.pem",
203 phase2="auth=GTC",
204 phase1="fast_provisioning=2",
205 pac_file="blob://fast_pac_auth_erp")
206 erp_test(dev[0], hapd, eap="GPSK", identity="erp-gpsk@example.com",
207 password="abcdefghijklmnop0123456789abcdef")
208 erp_test(dev[0], hapd, eap="IKEV2", identity="erp-ikev2@example.com",
209 password="password")
210 erp_test(dev[0], hapd, eap="PAX", identity="erp-pax@example.com",
211 password_hex="0123456789abcdef0123456789abcdef")
212 # TODO: PEAP (EMSK)
213 #if "MSCHAPV2" in eap_methods:
214 # erp_test(dev[0], hapd, eap="PEAP", identity="erp-peap@example.com",
215 # password="password", ca_cert="auth_serv/ca.pem",
216 # phase2="auth=MSCHAPV2")
217 erp_test(dev[0], hapd, eap="PSK", identity="erp-psk@example.com",
218 password_hex="0123456789abcdef0123456789abcdef")
219 if "PWD" in eap_methods:
220 erp_test(dev[0], hapd, eap="PWD", identity="erp-pwd@example.com",
221 password="secret password")
222 erp_test(dev[0], hapd, eap="SAKE", identity="erp-sake@example.com",
223 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
224 erp_test(dev[0], hapd, eap="SIM", identity="1232010000000000@example.com",
225 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
226 erp_test(dev[0], hapd, eap="TLS", identity="erp-tls@example.com",
227 ca_cert="auth_serv/ca.pem", client_cert="auth_serv/user.pem",
228 private_key="auth_serv/user.key")
229 erp_test(dev[0], hapd, eap="TTLS", identity="erp-ttls@example.com",
230 password="password", ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
231
232 def test_erp_key_lifetime_in_memory(dev, apdev, params):
233 """ERP and key lifetime in memory"""
234 check_erp_capa(dev[0])
235 p = int_eap_server_params()
236 p['erp_send_reauth_start'] = '1'
237 p['erp_domain'] = 'example.com'
238 p['eap_server_erp'] = '1'
239 p['disable_pmksa_caching'] = '1'
240 hapd = hostapd.add_ap(apdev[0], p)
241 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
242
243 pid = find_wpas_process(dev[0])
244
245 dev[0].request("ERP_FLUSH")
246 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
247 identity="pap-secret@example.com", password=password,
248 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
249 erp="1", scan_freq="2412")
250
251 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
252 # event has been delivered, so verify that wpa_supplicant has returned to
253 # eloop before reading process memory.
254 time.sleep(1)
255 dev[0].ping()
256 buf = read_process_memory(pid, password)
257
258 dev[0].request("DISCONNECT")
259 dev[0].wait_disconnected(timeout=15)
260
261 dev[0].relog()
262 msk = None
263 emsk = None
264 rRK = None
265 rIK = None
266 pmk = None
267 ptk = None
268 gtk = None
269 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
270 for l in f.readlines():
271 if "EAP-TTLS: Derived key - hexdump" in l:
272 val = l.strip().split(':')[3].replace(' ', '')
273 msk = binascii.unhexlify(val)
274 if "EAP-TTLS: Derived EMSK - hexdump" in l:
275 val = l.strip().split(':')[3].replace(' ', '')
276 emsk = binascii.unhexlify(val)
277 if "EAP: ERP rRK - hexdump" in l:
278 val = l.strip().split(':')[3].replace(' ', '')
279 rRK = binascii.unhexlify(val)
280 if "EAP: ERP rIK - hexdump" in l:
281 val = l.strip().split(':')[3].replace(' ', '')
282 rIK = binascii.unhexlify(val)
283 if "WPA: PMK - hexdump" in l:
284 val = l.strip().split(':')[3].replace(' ', '')
285 pmk = binascii.unhexlify(val)
286 if "WPA: PTK - hexdump" in l:
287 val = l.strip().split(':')[3].replace(' ', '')
288 ptk = binascii.unhexlify(val)
289 if "WPA: Group Key - hexdump" in l:
290 val = l.strip().split(':')[3].replace(' ', '')
291 gtk = binascii.unhexlify(val)
292 if not msk or not emsk or not rIK or not rRK or not pmk or not ptk or not gtk:
293 raise Exception("Could not find keys from debug log")
294 if len(gtk) != 16:
295 raise Exception("Unexpected GTK length")
296
297 kck = ptk[0:16]
298 kek = ptk[16:32]
299 tk = ptk[32:48]
300
301 fname = os.path.join(params['logdir'],
302 'erp_key_lifetime_in_memory.memctx-')
303
304 logger.info("Checking keys in memory while associated")
305 get_key_locations(buf, password, "Password")
306 get_key_locations(buf, pmk, "PMK")
307 get_key_locations(buf, msk, "MSK")
308 get_key_locations(buf, emsk, "EMSK")
309 get_key_locations(buf, rRK, "rRK")
310 get_key_locations(buf, rIK, "rIK")
311 if password not in buf:
312 raise HwsimSkip("Password not found while associated")
313 if pmk not in buf:
314 raise HwsimSkip("PMK not found while associated")
315 if kck not in buf:
316 raise Exception("KCK not found while associated")
317 if kek not in buf:
318 raise Exception("KEK not found while associated")
319 #if tk in buf:
320 # raise Exception("TK found from memory")
321
322 logger.info("Checking keys in memory after disassociation")
323 buf = read_process_memory(pid, password)
324
325 # Note: Password is still present in network configuration
326 # Note: PMK is in EAP fast re-auth data
327
328 get_key_locations(buf, password, "Password")
329 get_key_locations(buf, pmk, "PMK")
330 get_key_locations(buf, msk, "MSK")
331 get_key_locations(buf, emsk, "EMSK")
332 get_key_locations(buf, rRK, "rRK")
333 get_key_locations(buf, rIK, "rIK")
334 verify_not_present(buf, kck, fname, "KCK")
335 verify_not_present(buf, kek, fname, "KEK")
336 verify_not_present(buf, tk, fname, "TK")
337 if gtk in buf:
338 get_key_locations(buf, gtk, "GTK")
339 verify_not_present(buf, gtk, fname, "GTK")
340
341 dev[0].request("RECONNECT")
342 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
343 if ev is None:
344 raise Exception("EAP success timed out")
345 if "EAP re-authentication completed successfully" not in ev:
346 raise Exception("Did not use ERP")
347 dev[0].wait_connected(timeout=15, error="Reconnection timed out")
348
349 dev[0].request("DISCONNECT")
350 dev[0].wait_disconnected(timeout=15)
351
352 dev[0].relog()
353 pmk = None
354 ptk = None
355 gtk = None
356 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
357 for l in f.readlines():
358 if "WPA: PMK - hexdump" in l:
359 val = l.strip().split(':')[3].replace(' ', '')
360 pmk = binascii.unhexlify(val)
361 if "WPA: PTK - hexdump" in l:
362 val = l.strip().split(':')[3].replace(' ', '')
363 ptk = binascii.unhexlify(val)
364 if "WPA: GTK in EAPOL-Key - hexdump" in l:
365 val = l.strip().split(':')[3].replace(' ', '')
366 gtk = binascii.unhexlify(val)
367 if not pmk or not ptk or not gtk:
368 raise Exception("Could not find keys from debug log")
369
370 kck = ptk[0:16]
371 kek = ptk[16:32]
372 tk = ptk[32:48]
373
374 logger.info("Checking keys in memory after ERP and disassociation")
375 buf = read_process_memory(pid, password)
376
377 # Note: Password is still present in network configuration
378
379 get_key_locations(buf, password, "Password")
380 get_key_locations(buf, pmk, "PMK")
381 get_key_locations(buf, msk, "MSK")
382 get_key_locations(buf, emsk, "EMSK")
383 get_key_locations(buf, rRK, "rRK")
384 get_key_locations(buf, rIK, "rIK")
385 verify_not_present(buf, kck, fname, "KCK")
386 verify_not_present(buf, kek, fname, "KEK")
387 verify_not_present(buf, tk, fname, "TK")
388 verify_not_present(buf, gtk, fname, "GTK")
389
390 dev[0].request("REMOVE_NETWORK all")
391
392 logger.info("Checking keys in memory after network profile removal")
393 buf = read_process_memory(pid, password)
394
395 # Note: rRK and rIK are still in memory
396
397 get_key_locations(buf, password, "Password")
398 get_key_locations(buf, pmk, "PMK")
399 get_key_locations(buf, msk, "MSK")
400 get_key_locations(buf, emsk, "EMSK")
401 get_key_locations(buf, rRK, "rRK")
402 get_key_locations(buf, rIK, "rIK")
403 verify_not_present(buf, password, fname, "password")
404 verify_not_present(buf, pmk, fname, "PMK")
405 verify_not_present(buf, kck, fname, "KCK")
406 verify_not_present(buf, kek, fname, "KEK")
407 verify_not_present(buf, tk, fname, "TK")
408 verify_not_present(buf, gtk, fname, "GTK")
409 verify_not_present(buf, msk, fname, "MSK")
410 verify_not_present(buf, emsk, fname, "EMSK")
411
412 dev[0].request("ERP_FLUSH")
413 logger.info("Checking keys in memory after ERP_FLUSH")
414 buf = read_process_memory(pid, password)
415 get_key_locations(buf, rRK, "rRK")
416 get_key_locations(buf, rIK, "rIK")
417 verify_not_present(buf, rRK, fname, "rRK")
418 verify_not_present(buf, rIK, fname, "rIK")
419
420 def test_erp_anonymous_identity(dev, apdev):
421 """ERP and anonymous identity"""
422 check_erp_capa(dev[0])
423 params = int_eap_server_params()
424 params['erp_send_reauth_start'] = '1'
425 params['erp_domain'] = 'example.com'
426 params['eap_server_erp'] = '1'
427 params['disable_pmksa_caching'] = '1'
428 hapd = hostapd.add_ap(apdev[0], params)
429
430 dev[0].request("ERP_FLUSH")
431 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
432 identity="erp-ttls",
433 anonymous_identity="anonymous@example.com",
434 password="password",
435 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
436 erp="1", scan_freq="2412")
437 for i in range(3):
438 dev[0].request("DISCONNECT")
439 dev[0].wait_disconnected(timeout=15)
440 dev[0].request("RECONNECT")
441 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
442 if ev is None:
443 raise Exception("EAP success timed out")
444 if "EAP re-authentication completed successfully" not in ev:
445 raise Exception("Did not use ERP")
446 dev[0].wait_connected(timeout=15, error="Reconnection timed out")
447
448 def test_erp_home_realm_oom(dev, apdev):
449 """ERP and home realm OOM"""
450 check_erp_capa(dev[0])
451 params = int_eap_server_params()
452 params['erp_send_reauth_start'] = '1'
453 params['erp_domain'] = 'example.com'
454 params['eap_server_erp'] = '1'
455 params['disable_pmksa_caching'] = '1'
456 hapd = hostapd.add_ap(apdev[0], params)
457
458 for count in range(1, 3):
459 with alloc_fail(dev[0], count, "eap_get_realm"):
460 dev[0].request("ERP_FLUSH")
461 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
462 identity="erp-ttls@example.com",
463 anonymous_identity="anonymous@example.com",
464 password="password",
465 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
466 erp="1", scan_freq="2412", wait_connect=False)
467 dev[0].wait_connected(timeout=10)
468 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
469 dev[0].request("REMOVE_NETWORK all")
470 dev[0].wait_disconnected()
471
472 for count in range(1, 3):
473 with alloc_fail(dev[0], count, "eap_get_realm"):
474 dev[0].request("ERP_FLUSH")
475 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
476 identity="erp-ttls",
477 anonymous_identity="anonymous@example.com",
478 password="password",
479 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
480 erp="1", scan_freq="2412", wait_connect=False)
481 dev[0].wait_connected(timeout=10)
482 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
483 dev[0].request("REMOVE_NETWORK all")
484 dev[0].wait_disconnected()
485
486 for count in range(1, 3):
487 dev[0].request("ERP_FLUSH")
488 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
489 identity="erp-ttls@example.com",
490 anonymous_identity="anonymous@example.com",
491 password="password",
492 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
493 erp="1", scan_freq="2412", wait_connect=False)
494 dev[0].wait_connected(timeout=10)
495 if range > 1:
496 continue
497 with alloc_fail(dev[0], count, "eap_get_realm"):
498 dev[0].request("DISCONNECT")
499 dev[0].wait_disconnected(timeout=15)
500 dev[0].request("RECONNECT")
501 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
502 dev[0].request("REMOVE_NETWORK all")
503 dev[0].wait_disconnected()
504
505 def test_erp_local_errors(dev, apdev):
506 """ERP and local error cases"""
507 check_erp_capa(dev[0])
508 params = int_eap_server_params()
509 params['erp_send_reauth_start'] = '1'
510 params['erp_domain'] = 'example.com'
511 params['eap_server_erp'] = '1'
512 params['disable_pmksa_caching'] = '1'
513 hapd = hostapd.add_ap(apdev[0], params)
514
515 dev[0].request("ERP_FLUSH")
516 with alloc_fail(dev[0], 1, "eap_peer_erp_init"):
517 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
518 identity="erp-ttls@example.com",
519 anonymous_identity="anonymous@example.com",
520 password="password",
521 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
522 erp="1", scan_freq="2412")
523 dev[0].request("REMOVE_NETWORK all")
524 dev[0].wait_disconnected()
525
526 for count in range(1, 6):
527 dev[0].request("ERP_FLUSH")
528 with fail_test(dev[0], count, "hmac_sha256_kdf;eap_peer_erp_init"):
529 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
530 identity="erp-ttls@example.com",
531 anonymous_identity="anonymous@example.com",
532 password="password",
533 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
534 erp="1", scan_freq="2412")
535 dev[0].request("REMOVE_NETWORK all")
536 dev[0].wait_disconnected()
537
538 dev[0].request("ERP_FLUSH")
539 with alloc_fail(dev[0], 1, "eap_msg_alloc;eap_peer_erp_reauth_start"):
540 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
541 identity="erp-ttls@example.com",
542 anonymous_identity="anonymous@example.com",
543 password="password",
544 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
545 erp="1", scan_freq="2412")
546 dev[0].request("DISCONNECT")
547 dev[0].wait_disconnected(timeout=15)
548 dev[0].request("RECONNECT")
549 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
550 dev[0].request("REMOVE_NETWORK all")
551 dev[0].wait_disconnected()
552
553 dev[0].request("ERP_FLUSH")
554 with fail_test(dev[0], 1, "hmac_sha256;eap_peer_erp_reauth_start"):
555 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
556 identity="erp-ttls@example.com",
557 anonymous_identity="anonymous@example.com",
558 password="password",
559 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
560 erp="1", scan_freq="2412")
561 dev[0].request("DISCONNECT")
562 dev[0].wait_disconnected(timeout=15)
563 dev[0].request("RECONNECT")
564 wait_fail_trigger(dev[0], "GET_FAIL")
565 dev[0].request("REMOVE_NETWORK all")
566 dev[0].wait_disconnected()
567
568 dev[0].request("ERP_FLUSH")
569 with fail_test(dev[0], 1, "hmac_sha256;eap_peer_finish"):
570 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
571 identity="erp-ttls@example.com",
572 anonymous_identity="anonymous@example.com",
573 password="password",
574 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
575 erp="1", scan_freq="2412")
576 dev[0].request("DISCONNECT")
577 dev[0].wait_disconnected(timeout=15)
578 dev[0].request("RECONNECT")
579 wait_fail_trigger(dev[0], "GET_FAIL")
580 dev[0].request("REMOVE_NETWORK all")
581 dev[0].wait_disconnected()
582
583 dev[0].request("ERP_FLUSH")
584 with alloc_fail(dev[0], 1, "eap_peer_erp_init"):
585 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
586 identity="erp-ttls@example.com",
587 anonymous_identity="anonymous@example.com",
588 password="password",
589 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
590 erp="1", scan_freq="2412")
591 dev[0].request("DISCONNECT")
592 dev[0].wait_disconnected(timeout=15)
593
594 dev[0].request("ERP_FLUSH")
595 with alloc_fail(dev[0], 1, "eap_peer_finish"):
596 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
597 identity="erp-ttls@example.com",
598 anonymous_identity="anonymous@example.com",
599 password="password",
600 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
601 erp="1", scan_freq="2412")
602 dev[0].request("DISCONNECT")
603 dev[0].wait_disconnected(timeout=15)
604 dev[0].request("RECONNECT")
605 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
606 dev[0].request("REMOVE_NETWORK all")
607 dev[0].wait_disconnected()
608
609 dev[0].request("ERP_FLUSH")
610 with fail_test(dev[0], 1, "hmac_sha256_kdf;eap_peer_finish"):
611 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
612 identity="erp-ttls@example.com",
613 anonymous_identity="anonymous@example.com",
614 password="password",
615 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
616 erp="1", scan_freq="2412")
617 dev[0].request("DISCONNECT")
618 dev[0].wait_disconnected(timeout=15)
619 dev[0].request("RECONNECT")
620 wait_fail_trigger(dev[0], "GET_FAIL")
621 dev[0].request("REMOVE_NETWORK all")
622 dev[0].wait_disconnected()
Unnamed repository; edit this file 'description' to name the repository.