]>
git.ipfire.org Git - thirdparty/hostap.git/blob - tests/hwsim/test_erp.py
1 # EAP Re-authentication Protocol (ERP) tests
2 # Copyright (c) 2014-2015, Jouni Malinen <j@w1.fi>
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
9 logger
= logging
.getLogger()
14 from utils
import HwsimSkip
, alloc_fail
, fail_test
, wait_fail_trigger
15 from test_ap_eap
import int_eap_server_params
16 from test_ap_psk
import find_wpas_process
, read_process_memory
, verify_not_present
, get_key_locations
18 def check_erp_capa(dev
):
19 capab
= dev
.get_capability("erp")
20 if not capab
or 'ERP' not in capab
:
21 raise HwsimSkip("ERP not supported in the build")
23 def test_erp_initiate_reauth_start(dev
, apdev
):
24 """Authenticator sending EAP-Initiate/Re-auth-Start, but ERP disabled on peer"""
25 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
26 params
['erp_send_reauth_start'] = '1'
27 params
['erp_domain'] = 'example.com'
28 hapd
= hostapd
.add_ap(apdev
[0], params
)
30 dev
[0].request("ERP_FLUSH")
31 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
32 eap
="PAX", identity
="pax.user@example.com",
33 password_hex
="0123456789abcdef0123456789abcdef",
36 def test_erp_enabled_on_server(dev
, apdev
):
37 """ERP enabled on internal EAP server, but disabled on peer"""
38 params
= int_eap_server_params()
39 params
['erp_send_reauth_start'] = '1'
40 params
['erp_domain'] = 'example.com'
41 params
['eap_server_erp'] = '1'
42 hapd
= hostapd
.add_ap(apdev
[0], params
)
44 dev
[0].request("ERP_FLUSH")
45 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
46 eap
="PAX", identity
="pax.user@example.com",
47 password_hex
="0123456789abcdef0123456789abcdef",
50 def test_erp(dev
, apdev
):
51 """ERP enabled on server and peer"""
52 check_erp_capa(dev
[0])
53 params
= int_eap_server_params()
54 params
['erp_send_reauth_start'] = '1'
55 params
['erp_domain'] = 'example.com'
56 params
['eap_server_erp'] = '1'
57 params
['disable_pmksa_caching'] = '1'
58 hapd
= hostapd
.add_ap(apdev
[0], params
)
60 dev
[0].request("ERP_FLUSH")
61 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
62 eap
="PSK", identity
="psk.user@example.com",
63 password_hex
="0123456789abcdef0123456789abcdef",
64 erp
="1", scan_freq
="2412")
66 dev
[0].request("DISCONNECT")
67 dev
[0].wait_disconnected(timeout
=15)
68 dev
[0].request("RECONNECT")
69 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
71 raise Exception("EAP success timed out")
72 if "EAP re-authentication completed successfully" not in ev
:
73 raise Exception("Did not use ERP")
74 dev
[0].wait_connected(timeout
=15, error
="Reconnection timed out")
76 def test_erp_server_no_match(dev
, apdev
):
77 """ERP enabled on server and peer, but server has no key match"""
78 check_erp_capa(dev
[0])
79 params
= int_eap_server_params()
80 params
['erp_send_reauth_start'] = '1'
81 params
['erp_domain'] = 'example.com'
82 params
['eap_server_erp'] = '1'
83 params
['disable_pmksa_caching'] = '1'
84 hapd
= hostapd
.add_ap(apdev
[0], params
)
86 dev
[0].request("ERP_FLUSH")
87 id = dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
88 eap
="PSK", identity
="psk.user@example.com",
89 password_hex
="0123456789abcdef0123456789abcdef",
90 erp
="1", scan_freq
="2412")
91 dev
[0].request("DISCONNECT")
92 dev
[0].wait_disconnected(timeout
=15)
93 hapd
.request("ERP_FLUSH")
94 dev
[0].request("RECONNECT")
95 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
96 "CTRL-EVENT-EAP-FAILURE"], timeout
=15)
98 raise Exception("EAP result timed out")
99 if "CTRL-EVENT-EAP-SUCCESS" in ev
:
100 raise Exception("Unexpected EAP success")
101 dev
[0].request("DISCONNECT")
102 dev
[0].select_network(id)
103 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
105 raise Exception("EAP success timed out")
106 if "EAP re-authentication completed successfully" in ev
:
107 raise Exception("Unexpected use of ERP")
108 dev
[0].wait_connected(timeout
=15, error
="Reconnection timed out")
110 def start_erp_as(apdev
, erp_domain
="example.com", msk_dump
=None):
111 params
= { "ssid": "as", "beacon_int": "2000",
112 "radius_server_clients": "auth_serv/radius_clients.conf",
113 "radius_server_auth_port": '18128',
115 "eap_user_file": "auth_serv/eap_user.conf",
116 "ca_cert": "auth_serv/ca.pem",
117 "server_cert": "auth_serv/server.pem",
118 "private_key": "auth_serv/server.key",
119 "eap_sim_db": "unix:/tmp/hlr_auc_gw.sock",
120 "dh_file": "auth_serv/dh.conf",
121 "pac_opaque_encr_key": "000102030405060708090a0b0c0d0e0f",
122 "eap_fast_a_id": "101112131415161718191a1b1c1d1e1f",
123 "eap_fast_a_id_info": "test server",
124 "eap_server_erp": "1",
125 "erp_domain": erp_domain
}
127 params
["dump_msk_file"] = msk_dump
128 return hostapd
.add_ap(apdev
, params
)
130 def test_erp_radius(dev
, apdev
):
131 """ERP enabled on RADIUS server and peer"""
132 check_erp_capa(dev
[0])
133 start_erp_as(apdev
[1])
134 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
135 params
['auth_server_port'] = "18128"
136 params
['erp_send_reauth_start'] = '1'
137 params
['erp_domain'] = 'example.com'
138 params
['disable_pmksa_caching'] = '1'
139 hapd
= hostapd
.add_ap(apdev
[0], params
)
141 dev
[0].request("ERP_FLUSH")
142 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP",
143 eap
="PSK", identity
="psk.user@example.com",
144 password_hex
="0123456789abcdef0123456789abcdef",
145 erp
="1", scan_freq
="2412")
147 dev
[0].request("DISCONNECT")
148 dev
[0].wait_disconnected(timeout
=15)
149 dev
[0].request("RECONNECT")
150 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
152 raise Exception("EAP success timed out")
153 if "EAP re-authentication completed successfully" not in ev
:
154 raise Exception("Did not use ERP")
155 dev
[0].wait_connected(timeout
=15, error
="Reconnection timed out")
157 def erp_test(dev
, hapd
, **kwargs
):
158 res
= dev
.get_capability("eap")
159 if kwargs
['eap'] not in res
:
160 logger
.info("Skip ERP test with %s due to missing support" % kwargs
['eap'])
164 dev
.request("ERP_FLUSH")
165 id = dev
.connect("test-wpa2-eap", key_mgmt
="WPA-EAP", erp
="1",
166 scan_freq
="2412", **kwargs
)
167 dev
.request("DISCONNECT")
168 dev
.wait_disconnected(timeout
=15)
170 dev
.request("RECONNECT")
171 ev
= dev
.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
173 raise Exception("EAP success timed out")
174 if "EAP re-authentication completed successfully" not in ev
:
175 raise Exception("Did not use ERP")
176 dev
.wait_connected(timeout
=15, error
="Reconnection timed out")
177 ev
= hapd
.wait_event([ "AP-STA-CONNECTED" ], timeout
=5)
179 raise Exception("No connection event received from hostapd")
180 dev
.request("DISCONNECT")
182 def test_erp_radius_eap_methods(dev
, apdev
):
183 """ERP enabled on RADIUS server and peer"""
184 check_erp_capa(dev
[0])
185 eap_methods
= dev
[0].get_capability("eap")
186 start_erp_as(apdev
[1])
187 params
= hostapd
.wpa2_eap_params(ssid
="test-wpa2-eap")
188 params
['auth_server_port'] = "18128"
189 params
['erp_send_reauth_start'] = '1'
190 params
['erp_domain'] = 'example.com'
191 params
['disable_pmksa_caching'] = '1'
192 hapd
= hostapd
.add_ap(apdev
[0], params
)
194 erp_test(dev
[0], hapd
, eap
="AKA", identity
="0232010000000000@example.com",
195 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
196 erp_test(dev
[0], hapd
, eap
="AKA'", identity
="6555444333222111@example.com",
197 password
="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
198 erp_test(dev
[0], hapd
, eap
="EKE", identity
="erp-eke@example.com",
200 if "FAST" in eap_methods
:
201 erp_test(dev
[0], hapd
, eap
="FAST", identity
="erp-fast@example.com",
202 password
="password", ca_cert
="auth_serv/ca.pem",
204 phase1
="fast_provisioning=2",
205 pac_file
="blob://fast_pac_auth_erp")
206 erp_test(dev
[0], hapd
, eap
="GPSK", identity
="erp-gpsk@example.com",
207 password
="abcdefghijklmnop0123456789abcdef")
208 erp_test(dev
[0], hapd
, eap
="IKEV2", identity
="erp-ikev2@example.com",
210 erp_test(dev
[0], hapd
, eap
="PAX", identity
="erp-pax@example.com",
211 password_hex
="0123456789abcdef0123456789abcdef")
213 #if "MSCHAPV2" in eap_methods:
214 # erp_test(dev[0], hapd, eap="PEAP", identity="erp-peap@example.com",
215 # password="password", ca_cert="auth_serv/ca.pem",
216 # phase2="auth=MSCHAPV2")
217 erp_test(dev
[0], hapd
, eap
="PSK", identity
="erp-psk@example.com",
218 password_hex
="0123456789abcdef0123456789abcdef")
219 if "PWD" in eap_methods
:
220 erp_test(dev
[0], hapd
, eap
="PWD", identity
="erp-pwd@example.com",
221 password
="secret password")
222 erp_test(dev
[0], hapd
, eap
="SAKE", identity
="erp-sake@example.com",
223 password_hex
="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
224 erp_test(dev
[0], hapd
, eap
="SIM", identity
="1232010000000000@example.com",
225 password
="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
226 erp_test(dev
[0], hapd
, eap
="TLS", identity
="erp-tls@example.com",
227 ca_cert
="auth_serv/ca.pem", client_cert
="auth_serv/user.pem",
228 private_key
="auth_serv/user.key")
229 erp_test(dev
[0], hapd
, eap
="TTLS", identity
="erp-ttls@example.com",
230 password
="password", ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP")
232 def test_erp_key_lifetime_in_memory(dev
, apdev
, params
):
233 """ERP and key lifetime in memory"""
234 check_erp_capa(dev
[0])
235 p
= int_eap_server_params()
236 p
['erp_send_reauth_start'] = '1'
237 p
['erp_domain'] = 'example.com'
238 p
['eap_server_erp'] = '1'
239 p
['disable_pmksa_caching'] = '1'
240 hapd
= hostapd
.add_ap(apdev
[0], p
)
241 password
= "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
243 pid
= find_wpas_process(dev
[0])
245 dev
[0].request("ERP_FLUSH")
246 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
247 identity
="pap-secret@example.com", password
=password
,
248 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
249 erp
="1", scan_freq
="2412")
251 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
252 # event has been delivered, so verify that wpa_supplicant has returned to
253 # eloop before reading process memory.
256 buf
= read_process_memory(pid
, password
)
258 dev
[0].request("DISCONNECT")
259 dev
[0].wait_disconnected(timeout
=15)
269 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
270 for l
in f
.readlines():
271 if "EAP-TTLS: Derived key - hexdump" in l
:
272 val
= l
.strip().split(':')[3].replace(' ', '')
273 msk
= binascii
.unhexlify(val
)
274 if "EAP-TTLS: Derived EMSK - hexdump" in l
:
275 val
= l
.strip().split(':')[3].replace(' ', '')
276 emsk
= binascii
.unhexlify(val
)
277 if "EAP: ERP rRK - hexdump" in l
:
278 val
= l
.strip().split(':')[3].replace(' ', '')
279 rRK
= binascii
.unhexlify(val
)
280 if "EAP: ERP rIK - hexdump" in l
:
281 val
= l
.strip().split(':')[3].replace(' ', '')
282 rIK
= binascii
.unhexlify(val
)
283 if "WPA: PMK - hexdump" in l
:
284 val
= l
.strip().split(':')[3].replace(' ', '')
285 pmk
= binascii
.unhexlify(val
)
286 if "WPA: PTK - hexdump" in l
:
287 val
= l
.strip().split(':')[3].replace(' ', '')
288 ptk
= binascii
.unhexlify(val
)
289 if "WPA: Group Key - hexdump" in l
:
290 val
= l
.strip().split(':')[3].replace(' ', '')
291 gtk
= binascii
.unhexlify(val
)
292 if not msk
or not emsk
or not rIK
or not rRK
or not pmk
or not ptk
or not gtk
:
293 raise Exception("Could not find keys from debug log")
295 raise Exception("Unexpected GTK length")
301 fname
= os
.path
.join(params
['logdir'],
302 'erp_key_lifetime_in_memory.memctx-')
304 logger
.info("Checking keys in memory while associated")
305 get_key_locations(buf
, password
, "Password")
306 get_key_locations(buf
, pmk
, "PMK")
307 get_key_locations(buf
, msk
, "MSK")
308 get_key_locations(buf
, emsk
, "EMSK")
309 get_key_locations(buf
, rRK
, "rRK")
310 get_key_locations(buf
, rIK
, "rIK")
311 if password
not in buf
:
312 raise HwsimSkip("Password not found while associated")
314 raise HwsimSkip("PMK not found while associated")
316 raise Exception("KCK not found while associated")
318 raise Exception("KEK not found while associated")
320 # raise Exception("TK found from memory")
322 logger
.info("Checking keys in memory after disassociation")
323 buf
= read_process_memory(pid
, password
)
325 # Note: Password is still present in network configuration
326 # Note: PMK is in EAP fast re-auth data
328 get_key_locations(buf
, password
, "Password")
329 get_key_locations(buf
, pmk
, "PMK")
330 get_key_locations(buf
, msk
, "MSK")
331 get_key_locations(buf
, emsk
, "EMSK")
332 get_key_locations(buf
, rRK
, "rRK")
333 get_key_locations(buf
, rIK
, "rIK")
334 verify_not_present(buf
, kck
, fname
, "KCK")
335 verify_not_present(buf
, kek
, fname
, "KEK")
336 verify_not_present(buf
, tk
, fname
, "TK")
338 get_key_locations(buf
, gtk
, "GTK")
339 verify_not_present(buf
, gtk
, fname
, "GTK")
341 dev
[0].request("RECONNECT")
342 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
344 raise Exception("EAP success timed out")
345 if "EAP re-authentication completed successfully" not in ev
:
346 raise Exception("Did not use ERP")
347 dev
[0].wait_connected(timeout
=15, error
="Reconnection timed out")
349 dev
[0].request("DISCONNECT")
350 dev
[0].wait_disconnected(timeout
=15)
356 with
open(os
.path
.join(params
['logdir'], 'log0'), 'r') as f
:
357 for l
in f
.readlines():
358 if "WPA: PMK - hexdump" in l
:
359 val
= l
.strip().split(':')[3].replace(' ', '')
360 pmk
= binascii
.unhexlify(val
)
361 if "WPA: PTK - hexdump" in l
:
362 val
= l
.strip().split(':')[3].replace(' ', '')
363 ptk
= binascii
.unhexlify(val
)
364 if "WPA: GTK in EAPOL-Key - hexdump" in l
:
365 val
= l
.strip().split(':')[3].replace(' ', '')
366 gtk
= binascii
.unhexlify(val
)
367 if not pmk
or not ptk
or not gtk
:
368 raise Exception("Could not find keys from debug log")
374 logger
.info("Checking keys in memory after ERP and disassociation")
375 buf
= read_process_memory(pid
, password
)
377 # Note: Password is still present in network configuration
379 get_key_locations(buf
, password
, "Password")
380 get_key_locations(buf
, pmk
, "PMK")
381 get_key_locations(buf
, msk
, "MSK")
382 get_key_locations(buf
, emsk
, "EMSK")
383 get_key_locations(buf
, rRK
, "rRK")
384 get_key_locations(buf
, rIK
, "rIK")
385 verify_not_present(buf
, kck
, fname
, "KCK")
386 verify_not_present(buf
, kek
, fname
, "KEK")
387 verify_not_present(buf
, tk
, fname
, "TK")
388 verify_not_present(buf
, gtk
, fname
, "GTK")
390 dev
[0].request("REMOVE_NETWORK all")
392 logger
.info("Checking keys in memory after network profile removal")
393 buf
= read_process_memory(pid
, password
)
395 # Note: rRK and rIK are still in memory
397 get_key_locations(buf
, password
, "Password")
398 get_key_locations(buf
, pmk
, "PMK")
399 get_key_locations(buf
, msk
, "MSK")
400 get_key_locations(buf
, emsk
, "EMSK")
401 get_key_locations(buf
, rRK
, "rRK")
402 get_key_locations(buf
, rIK
, "rIK")
403 verify_not_present(buf
, password
, fname
, "password")
404 verify_not_present(buf
, pmk
, fname
, "PMK")
405 verify_not_present(buf
, kck
, fname
, "KCK")
406 verify_not_present(buf
, kek
, fname
, "KEK")
407 verify_not_present(buf
, tk
, fname
, "TK")
408 verify_not_present(buf
, gtk
, fname
, "GTK")
409 verify_not_present(buf
, msk
, fname
, "MSK")
410 verify_not_present(buf
, emsk
, fname
, "EMSK")
412 dev
[0].request("ERP_FLUSH")
413 logger
.info("Checking keys in memory after ERP_FLUSH")
414 buf
= read_process_memory(pid
, password
)
415 get_key_locations(buf
, rRK
, "rRK")
416 get_key_locations(buf
, rIK
, "rIK")
417 verify_not_present(buf
, rRK
, fname
, "rRK")
418 verify_not_present(buf
, rIK
, fname
, "rIK")
420 def test_erp_anonymous_identity(dev
, apdev
):
421 """ERP and anonymous identity"""
422 check_erp_capa(dev
[0])
423 params
= int_eap_server_params()
424 params
['erp_send_reauth_start'] = '1'
425 params
['erp_domain'] = 'example.com'
426 params
['eap_server_erp'] = '1'
427 params
['disable_pmksa_caching'] = '1'
428 hapd
= hostapd
.add_ap(apdev
[0], params
)
430 dev
[0].request("ERP_FLUSH")
431 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
433 anonymous_identity
="anonymous@example.com",
435 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
436 erp
="1", scan_freq
="2412")
438 dev
[0].request("DISCONNECT")
439 dev
[0].wait_disconnected(timeout
=15)
440 dev
[0].request("RECONNECT")
441 ev
= dev
[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout
=15)
443 raise Exception("EAP success timed out")
444 if "EAP re-authentication completed successfully" not in ev
:
445 raise Exception("Did not use ERP")
446 dev
[0].wait_connected(timeout
=15, error
="Reconnection timed out")
448 def test_erp_home_realm_oom(dev
, apdev
):
449 """ERP and home realm OOM"""
450 check_erp_capa(dev
[0])
451 params
= int_eap_server_params()
452 params
['erp_send_reauth_start'] = '1'
453 params
['erp_domain'] = 'example.com'
454 params
['eap_server_erp'] = '1'
455 params
['disable_pmksa_caching'] = '1'
456 hapd
= hostapd
.add_ap(apdev
[0], params
)
458 for count
in range(1, 3):
459 with
alloc_fail(dev
[0], count
, "eap_get_realm"):
460 dev
[0].request("ERP_FLUSH")
461 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
462 identity
="erp-ttls@example.com",
463 anonymous_identity
="anonymous@example.com",
465 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
466 erp
="1", scan_freq
="2412", wait_connect
=False)
467 dev
[0].wait_connected(timeout
=10)
468 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
469 dev
[0].request("REMOVE_NETWORK all")
470 dev
[0].wait_disconnected()
472 for count
in range(1, 3):
473 with
alloc_fail(dev
[0], count
, "eap_get_realm"):
474 dev
[0].request("ERP_FLUSH")
475 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
477 anonymous_identity
="anonymous@example.com",
479 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
480 erp
="1", scan_freq
="2412", wait_connect
=False)
481 dev
[0].wait_connected(timeout
=10)
482 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
483 dev
[0].request("REMOVE_NETWORK all")
484 dev
[0].wait_disconnected()
486 for count
in range(1, 3):
487 dev
[0].request("ERP_FLUSH")
488 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
489 identity
="erp-ttls@example.com",
490 anonymous_identity
="anonymous@example.com",
492 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
493 erp
="1", scan_freq
="2412", wait_connect
=False)
494 dev
[0].wait_connected(timeout
=10)
497 with
alloc_fail(dev
[0], count
, "eap_get_realm"):
498 dev
[0].request("DISCONNECT")
499 dev
[0].wait_disconnected(timeout
=15)
500 dev
[0].request("RECONNECT")
501 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
502 dev
[0].request("REMOVE_NETWORK all")
503 dev
[0].wait_disconnected()
505 def test_erp_local_errors(dev
, apdev
):
506 """ERP and local error cases"""
507 check_erp_capa(dev
[0])
508 params
= int_eap_server_params()
509 params
['erp_send_reauth_start'] = '1'
510 params
['erp_domain'] = 'example.com'
511 params
['eap_server_erp'] = '1'
512 params
['disable_pmksa_caching'] = '1'
513 hapd
= hostapd
.add_ap(apdev
[0], params
)
515 dev
[0].request("ERP_FLUSH")
516 with
alloc_fail(dev
[0], 1, "eap_peer_erp_init"):
517 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
518 identity
="erp-ttls@example.com",
519 anonymous_identity
="anonymous@example.com",
521 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
522 erp
="1", scan_freq
="2412")
523 dev
[0].request("REMOVE_NETWORK all")
524 dev
[0].wait_disconnected()
526 for count
in range(1, 6):
527 dev
[0].request("ERP_FLUSH")
528 with
fail_test(dev
[0], count
, "hmac_sha256_kdf;eap_peer_erp_init"):
529 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
530 identity
="erp-ttls@example.com",
531 anonymous_identity
="anonymous@example.com",
533 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
534 erp
="1", scan_freq
="2412")
535 dev
[0].request("REMOVE_NETWORK all")
536 dev
[0].wait_disconnected()
538 dev
[0].request("ERP_FLUSH")
539 with
alloc_fail(dev
[0], 1, "eap_msg_alloc;eap_peer_erp_reauth_start"):
540 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
541 identity
="erp-ttls@example.com",
542 anonymous_identity
="anonymous@example.com",
544 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
545 erp
="1", scan_freq
="2412")
546 dev
[0].request("DISCONNECT")
547 dev
[0].wait_disconnected(timeout
=15)
548 dev
[0].request("RECONNECT")
549 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
550 dev
[0].request("REMOVE_NETWORK all")
551 dev
[0].wait_disconnected()
553 dev
[0].request("ERP_FLUSH")
554 with
fail_test(dev
[0], 1, "hmac_sha256;eap_peer_erp_reauth_start"):
555 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
556 identity
="erp-ttls@example.com",
557 anonymous_identity
="anonymous@example.com",
559 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
560 erp
="1", scan_freq
="2412")
561 dev
[0].request("DISCONNECT")
562 dev
[0].wait_disconnected(timeout
=15)
563 dev
[0].request("RECONNECT")
564 wait_fail_trigger(dev
[0], "GET_FAIL")
565 dev
[0].request("REMOVE_NETWORK all")
566 dev
[0].wait_disconnected()
568 dev
[0].request("ERP_FLUSH")
569 with
fail_test(dev
[0], 1, "hmac_sha256;eap_peer_finish"):
570 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
571 identity
="erp-ttls@example.com",
572 anonymous_identity
="anonymous@example.com",
574 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
575 erp
="1", scan_freq
="2412")
576 dev
[0].request("DISCONNECT")
577 dev
[0].wait_disconnected(timeout
=15)
578 dev
[0].request("RECONNECT")
579 wait_fail_trigger(dev
[0], "GET_FAIL")
580 dev
[0].request("REMOVE_NETWORK all")
581 dev
[0].wait_disconnected()
583 dev
[0].request("ERP_FLUSH")
584 with
alloc_fail(dev
[0], 1, "eap_peer_erp_init"):
585 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
586 identity
="erp-ttls@example.com",
587 anonymous_identity
="anonymous@example.com",
589 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
590 erp
="1", scan_freq
="2412")
591 dev
[0].request("DISCONNECT")
592 dev
[0].wait_disconnected(timeout
=15)
594 dev
[0].request("ERP_FLUSH")
595 with
alloc_fail(dev
[0], 1, "eap_peer_finish"):
596 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
597 identity
="erp-ttls@example.com",
598 anonymous_identity
="anonymous@example.com",
600 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
601 erp
="1", scan_freq
="2412")
602 dev
[0].request("DISCONNECT")
603 dev
[0].wait_disconnected(timeout
=15)
604 dev
[0].request("RECONNECT")
605 wait_fail_trigger(dev
[0], "GET_ALLOC_FAIL")
606 dev
[0].request("REMOVE_NETWORK all")
607 dev
[0].wait_disconnected()
609 dev
[0].request("ERP_FLUSH")
610 with
fail_test(dev
[0], 1, "hmac_sha256_kdf;eap_peer_finish"):
611 dev
[0].connect("test-wpa2-eap", key_mgmt
="WPA-EAP", eap
="TTLS",
612 identity
="erp-ttls@example.com",
613 anonymous_identity
="anonymous@example.com",
615 ca_cert
="auth_serv/ca.pem", phase2
="auth=PAP",
616 erp
="1", scan_freq
="2412")
617 dev
[0].request("DISCONNECT")
618 dev
[0].wait_disconnected(timeout
=15)
619 dev
[0].request("RECONNECT")
620 wait_fail_trigger(dev
[0], "GET_FAIL")
621 dev
[0].request("REMOVE_NETWORK all")
622 dev
[0].wait_disconnected()