1 # EAP Re-authentication Protocol (ERP) tests
2 # Copyright (c) 2014-2015, Jouni Malinen <j@w1.fi>
4 # This software may be distributed under the terms of the BSD license.
5 # See README for more details.
9 logger = logging.getLogger()
14 from utils import HwsimSkip, alloc_fail, fail_test, wait_fail_trigger
15 from test_ap_eap import int_eap_server_params
16 from test_ap_psk import find_wpas_process, read_process_memory, verify_not_present, get_key_locations
18 def check_erp_capa(dev):
19 capab = dev.get_capability("erp")
20 if not capab or 'ERP' not in capab:
21 raise HwsimSkip("ERP not supported in the build")
23 def test_erp_initiate_reauth_start(dev, apdev):
24 """Authenticator sending EAP-Initiate/Re-auth-Start, but ERP disabled on peer"""
25 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
26 params['erp_send_reauth_start'] = '1'
27 params['erp_domain'] = 'example.com'
28 hapd = hostapd.add_ap(apdev[0], params)
30 dev[0].request("ERP_FLUSH")
31 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
32 eap="PAX", identity="pax.user@example.com",
33 password_hex="0123456789abcdef0123456789abcdef",
36 def test_erp_enabled_on_server(dev, apdev):
37 """ERP enabled on internal EAP server, but disabled on peer"""
38 params = int_eap_server_params()
39 params['erp_send_reauth_start'] = '1'
40 params['erp_domain'] = 'example.com'
41 params['eap_server_erp'] = '1'
42 hapd = hostapd.add_ap(apdev[0], params)
44 dev[0].request("ERP_FLUSH")
45 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
46 eap="PAX", identity="pax.user@example.com",
47 password_hex="0123456789abcdef0123456789abcdef",
50 def test_erp(dev, apdev):
51 """ERP enabled on server and peer"""
52 check_erp_capa(dev[0])
53 params = int_eap_server_params()
54 params['erp_send_reauth_start'] = '1'
55 params['erp_domain'] = 'example.com'
56 params['eap_server_erp'] = '1'
57 params['disable_pmksa_caching'] = '1'
58 hapd = hostapd.add_ap(apdev[0], params)
60 dev[0].request("ERP_FLUSH")
61 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
62 eap="PSK", identity="psk.user@example.com",
63 password_hex="0123456789abcdef0123456789abcdef",
64 erp="1", scan_freq="2412")
66 dev[0].request("DISCONNECT")
67 dev[0].wait_disconnected(timeout=15)
68 dev[0].request("RECONNECT")
69 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
71 raise Exception("EAP success timed out")
72 if "EAP re-authentication completed successfully" not in ev:
73 raise Exception("Did not use ERP")
74 dev[0].wait_connected(timeout=15, error="Reconnection timed out")
76 def test_erp_server_no_match(dev, apdev):
77 """ERP enabled on server and peer, but server has no key match"""
78 check_erp_capa(dev[0])
79 params = int_eap_server_params()
80 params['erp_send_reauth_start'] = '1'
81 params['erp_domain'] = 'example.com'
82 params['eap_server_erp'] = '1'
83 params['disable_pmksa_caching'] = '1'
84 hapd = hostapd.add_ap(apdev[0], params)
86 dev[0].request("ERP_FLUSH")
87 id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
88 eap="PSK", identity="psk.user@example.com",
89 password_hex="0123456789abcdef0123456789abcdef",
90 erp="1", scan_freq="2412")
91 dev[0].request("DISCONNECT")
92 dev[0].wait_disconnected(timeout=15)
93 hapd.request("ERP_FLUSH")
94 dev[0].request("RECONNECT")
95 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS",
96 "CTRL-EVENT-EAP-FAILURE"], timeout=15)
98 raise Exception("EAP result timed out")
99 if "CTRL-EVENT-EAP-SUCCESS" in ev:
100 raise Exception("Unexpected EAP success")
101 dev[0].request("DISCONNECT")
102 dev[0].select_network(id)
103 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
105 raise Exception("EAP success timed out")
106 if "EAP re-authentication completed successfully" in ev:
107 raise Exception("Unexpected use of ERP")
108 dev[0].wait_connected(timeout=15, error="Reconnection timed out")
110 def start_erp_as(apdev):
111 params = { "ssid": "as", "beacon_int": "2000",
112 "radius_server_clients": "auth_serv/radius_clients.conf",
113 "radius_server_auth_port": '18128',
115 "eap_user_file": "auth_serv/eap_user.conf",
116 "ca_cert": "auth_serv/ca.pem",
117 "server_cert": "auth_serv/server.pem",
118 "private_key": "auth_serv/server.key",
119 "eap_sim_db": "unix:/tmp/hlr_auc_gw.sock",
120 "dh_file": "auth_serv/dh.conf",
121 "pac_opaque_encr_key": "000102030405060708090a0b0c0d0e0f",
122 "eap_fast_a_id": "101112131415161718191a1b1c1d1e1f",
123 "eap_fast_a_id_info": "test server",
124 "eap_server_erp": "1",
125 "erp_domain": "example.com" }
126 hostapd.add_ap(apdev, params)
128 def test_erp_radius(dev, apdev):
129 """ERP enabled on RADIUS server and peer"""
130 check_erp_capa(dev[0])
131 start_erp_as(apdev[1])
132 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
133 params['auth_server_port'] = "18128"
134 params['erp_send_reauth_start'] = '1'
135 params['erp_domain'] = 'example.com'
136 params['disable_pmksa_caching'] = '1'
137 hapd = hostapd.add_ap(apdev[0], params)
139 dev[0].request("ERP_FLUSH")
140 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
141 eap="PSK", identity="psk.user@example.com",
142 password_hex="0123456789abcdef0123456789abcdef",
143 erp="1", scan_freq="2412")
145 dev[0].request("DISCONNECT")
146 dev[0].wait_disconnected(timeout=15)
147 dev[0].request("RECONNECT")
148 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
150 raise Exception("EAP success timed out")
151 if "EAP re-authentication completed successfully" not in ev:
152 raise Exception("Did not use ERP")
153 dev[0].wait_connected(timeout=15, error="Reconnection timed out")
155 def erp_test(dev, hapd, **kwargs):
156 res = dev.get_capability("eap")
157 if kwargs['eap'] not in res:
158 logger.info("Skip ERP test with %s due to missing support" % kwargs['eap'])
162 dev.request("ERP_FLUSH")
163 id = dev.connect("test-wpa2-eap", key_mgmt="WPA-EAP", erp="1",
164 scan_freq="2412", **kwargs)
165 dev.request("DISCONNECT")
166 dev.wait_disconnected(timeout=15)
168 dev.request("RECONNECT")
169 ev = dev.wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
171 raise Exception("EAP success timed out")
172 if "EAP re-authentication completed successfully" not in ev:
173 raise Exception("Did not use ERP")
174 dev.wait_connected(timeout=15, error="Reconnection timed out")
175 ev = hapd.wait_event([ "AP-STA-CONNECTED" ], timeout=5)
177 raise Exception("No connection event received from hostapd")
178 dev.request("DISCONNECT")
180 def test_erp_radius_eap_methods(dev, apdev):
181 """ERP enabled on RADIUS server and peer"""
182 check_erp_capa(dev[0])
183 eap_methods = dev[0].get_capability("eap")
184 start_erp_as(apdev[1])
185 params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
186 params['auth_server_port'] = "18128"
187 params['erp_send_reauth_start'] = '1'
188 params['erp_domain'] = 'example.com'
189 params['disable_pmksa_caching'] = '1'
190 hapd = hostapd.add_ap(apdev[0], params)
192 erp_test(dev[0], hapd, eap="AKA", identity="0232010000000000@example.com",
193 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
194 erp_test(dev[0], hapd, eap="AKA'", identity="6555444333222111@example.com",
195 password="5122250214c33e723a5dd523fc145fc0:981d464c7c52eb6e5036234984ad0bcf:000000000123")
196 erp_test(dev[0], hapd, eap="EKE", identity="erp-eke@example.com",
198 if "FAST" in eap_methods:
199 erp_test(dev[0], hapd, eap="FAST", identity="erp-fast@example.com",
200 password="password", ca_cert="auth_serv/ca.pem",
202 phase1="fast_provisioning=2",
203 pac_file="blob://fast_pac_auth_erp")
204 erp_test(dev[0], hapd, eap="GPSK", identity="erp-gpsk@example.com",
205 password="abcdefghijklmnop0123456789abcdef")
206 erp_test(dev[0], hapd, eap="IKEV2", identity="erp-ikev2@example.com",
208 erp_test(dev[0], hapd, eap="PAX", identity="erp-pax@example.com",
209 password_hex="0123456789abcdef0123456789abcdef")
211 #if "MSCHAPV2" in eap_methods:
212 # erp_test(dev[0], hapd, eap="PEAP", identity="erp-peap@example.com",
213 # password="password", ca_cert="auth_serv/ca.pem",
214 # phase2="auth=MSCHAPV2")
215 erp_test(dev[0], hapd, eap="PSK", identity="erp-psk@example.com",
216 password_hex="0123456789abcdef0123456789abcdef")
217 if "PWD" in eap_methods:
218 erp_test(dev[0], hapd, eap="PWD", identity="erp-pwd@example.com",
219 password="secret password")
220 erp_test(dev[0], hapd, eap="SAKE", identity="erp-sake@example.com",
221 password_hex="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef")
222 erp_test(dev[0], hapd, eap="SIM", identity="1232010000000000@example.com",
223 password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581")
224 erp_test(dev[0], hapd, eap="TLS", identity="erp-tls@example.com",
225 ca_cert="auth_serv/ca.pem", client_cert="auth_serv/user.pem",
226 private_key="auth_serv/user.key")
227 erp_test(dev[0], hapd, eap="TTLS", identity="erp-ttls@example.com",
228 password="password", ca_cert="auth_serv/ca.pem", phase2="auth=PAP")
230 def test_erp_key_lifetime_in_memory(dev, apdev, params):
231 """ERP and key lifetime in memory"""
232 check_erp_capa(dev[0])
233 p = int_eap_server_params()
234 p['erp_send_reauth_start'] = '1'
235 p['erp_domain'] = 'example.com'
236 p['eap_server_erp'] = '1'
237 p['disable_pmksa_caching'] = '1'
238 hapd = hostapd.add_ap(apdev[0], p)
239 password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
241 pid = find_wpas_process(dev[0])
243 dev[0].request("ERP_FLUSH")
244 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
245 identity="pap-secret@example.com", password=password,
246 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
247 erp="1", scan_freq="2412")
249 # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
250 # event has been delivered, so verify that wpa_supplicant has returned to
251 # eloop before reading process memory.
254 buf = read_process_memory(pid, password)
256 dev[0].request("DISCONNECT")
257 dev[0].wait_disconnected(timeout=15)
267 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
268 for l in f.readlines():
269 if "EAP-TTLS: Derived key - hexdump" in l:
270 val = l.strip().split(':')[3].replace(' ', '')
271 msk = binascii.unhexlify(val)
272 if "EAP-TTLS: Derived EMSK - hexdump" in l:
273 val = l.strip().split(':')[3].replace(' ', '')
274 emsk = binascii.unhexlify(val)
275 if "EAP: ERP rRK - hexdump" in l:
276 val = l.strip().split(':')[3].replace(' ', '')
277 rRK = binascii.unhexlify(val)
278 if "EAP: ERP rIK - hexdump" in l:
279 val = l.strip().split(':')[3].replace(' ', '')
280 rIK = binascii.unhexlify(val)
281 if "WPA: PMK - hexdump" in l:
282 val = l.strip().split(':')[3].replace(' ', '')
283 pmk = binascii.unhexlify(val)
284 if "WPA: PTK - hexdump" in l:
285 val = l.strip().split(':')[3].replace(' ', '')
286 ptk = binascii.unhexlify(val)
287 if "WPA: Group Key - hexdump" in l:
288 val = l.strip().split(':')[3].replace(' ', '')
289 gtk = binascii.unhexlify(val)
290 if not msk or not emsk or not rIK or not rRK or not pmk or not ptk or not gtk:
291 raise Exception("Could not find keys from debug log")
293 raise Exception("Unexpected GTK length")
299 fname = os.path.join(params['logdir'],
300 'erp_key_lifetime_in_memory.memctx-')
302 logger.info("Checking keys in memory while associated")
303 get_key_locations(buf, password, "Password")
304 get_key_locations(buf, pmk, "PMK")
305 get_key_locations(buf, msk, "MSK")
306 get_key_locations(buf, emsk, "EMSK")
307 get_key_locations(buf, rRK, "rRK")
308 get_key_locations(buf, rIK, "rIK")
309 if password not in buf:
310 raise HwsimSkip("Password not found while associated")
312 raise HwsimSkip("PMK not found while associated")
314 raise Exception("KCK not found while associated")
316 raise Exception("KEK not found while associated")
318 raise Exception("TK found from memory")
320 get_key_locations(buf, gtk, "GTK")
321 raise Exception("GTK found from memory")
323 logger.info("Checking keys in memory after disassociation")
324 buf = read_process_memory(pid, password)
326 # Note: Password is still present in network configuration
327 # Note: PMK is in EAP fast re-auth data
329 get_key_locations(buf, password, "Password")
330 get_key_locations(buf, pmk, "PMK")
331 get_key_locations(buf, msk, "MSK")
332 get_key_locations(buf, emsk, "EMSK")
333 get_key_locations(buf, rRK, "rRK")
334 get_key_locations(buf, rIK, "rIK")
335 verify_not_present(buf, kck, fname, "KCK")
336 verify_not_present(buf, kek, fname, "KEK")
337 verify_not_present(buf, tk, fname, "TK")
338 verify_not_present(buf, gtk, fname, "GTK")
340 dev[0].request("RECONNECT")
341 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
343 raise Exception("EAP success timed out")
344 if "EAP re-authentication completed successfully" not in ev:
345 raise Exception("Did not use ERP")
346 dev[0].wait_connected(timeout=15, error="Reconnection timed out")
348 dev[0].request("DISCONNECT")
349 dev[0].wait_disconnected(timeout=15)
355 with open(os.path.join(params['logdir'], 'log0'), 'r') as f:
356 for l in f.readlines():
357 if "WPA: PMK - hexdump" in l:
358 val = l.strip().split(':')[3].replace(' ', '')
359 pmk = binascii.unhexlify(val)
360 if "WPA: PTK - hexdump" in l:
361 val = l.strip().split(':')[3].replace(' ', '')
362 ptk = binascii.unhexlify(val)
363 if "WPA: GTK in EAPOL-Key - hexdump" in l:
364 val = l.strip().split(':')[3].replace(' ', '')
365 gtk = binascii.unhexlify(val)
366 if not pmk or not ptk or not gtk:
367 raise Exception("Could not find keys from debug log")
373 logger.info("Checking keys in memory after ERP and disassociation")
374 buf = read_process_memory(pid, password)
376 # Note: Password is still present in network configuration
378 get_key_locations(buf, password, "Password")
379 get_key_locations(buf, pmk, "PMK")
380 get_key_locations(buf, msk, "MSK")
381 get_key_locations(buf, emsk, "EMSK")
382 get_key_locations(buf, rRK, "rRK")
383 get_key_locations(buf, rIK, "rIK")
384 verify_not_present(buf, kck, fname, "KCK")
385 verify_not_present(buf, kek, fname, "KEK")
386 verify_not_present(buf, tk, fname, "TK")
387 verify_not_present(buf, gtk, fname, "GTK")
389 dev[0].request("REMOVE_NETWORK all")
391 logger.info("Checking keys in memory after network profile removal")
392 buf = read_process_memory(pid, password)
394 # Note: rRK and rIK are still in memory
396 get_key_locations(buf, password, "Password")
397 get_key_locations(buf, pmk, "PMK")
398 get_key_locations(buf, msk, "MSK")
399 get_key_locations(buf, emsk, "EMSK")
400 get_key_locations(buf, rRK, "rRK")
401 get_key_locations(buf, rIK, "rIK")
402 verify_not_present(buf, password, fname, "password")
403 verify_not_present(buf, pmk, fname, "PMK")
404 verify_not_present(buf, kck, fname, "KCK")
405 verify_not_present(buf, kek, fname, "KEK")
406 verify_not_present(buf, tk, fname, "TK")
407 verify_not_present(buf, gtk, fname, "GTK")
408 verify_not_present(buf, msk, fname, "MSK")
409 verify_not_present(buf, emsk, fname, "EMSK")
411 dev[0].request("ERP_FLUSH")
412 logger.info("Checking keys in memory after ERP_FLUSH")
413 buf = read_process_memory(pid, password)
414 get_key_locations(buf, rRK, "rRK")
415 get_key_locations(buf, rIK, "rIK")
416 verify_not_present(buf, rRK, fname, "rRK")
417 verify_not_present(buf, rIK, fname, "rIK")
419 def test_erp_anonymous_identity(dev, apdev):
420 """ERP and anonymous identity"""
421 check_erp_capa(dev[0])
422 params = int_eap_server_params()
423 params['erp_send_reauth_start'] = '1'
424 params['erp_domain'] = 'example.com'
425 params['eap_server_erp'] = '1'
426 params['disable_pmksa_caching'] = '1'
427 hapd = hostapd.add_ap(apdev[0], params)
429 dev[0].request("ERP_FLUSH")
430 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
432 anonymous_identity="anonymous@example.com",
434 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
435 erp="1", scan_freq="2412")
437 dev[0].request("DISCONNECT")
438 dev[0].wait_disconnected(timeout=15)
439 dev[0].request("RECONNECT")
440 ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
442 raise Exception("EAP success timed out")
443 if "EAP re-authentication completed successfully" not in ev:
444 raise Exception("Did not use ERP")
445 dev[0].wait_connected(timeout=15, error="Reconnection timed out")
447 def test_erp_home_realm_oom(dev, apdev):
448 """ERP and home realm OOM"""
449 check_erp_capa(dev[0])
450 params = int_eap_server_params()
451 params['erp_send_reauth_start'] = '1'
452 params['erp_domain'] = 'example.com'
453 params['eap_server_erp'] = '1'
454 params['disable_pmksa_caching'] = '1'
455 hapd = hostapd.add_ap(apdev[0], params)
457 for count in range(1, 3):
458 with alloc_fail(dev[0], count, "eap_home_realm"):
459 dev[0].request("ERP_FLUSH")
460 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
461 identity="erp-ttls@example.com",
462 anonymous_identity="anonymous@example.com",
464 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
465 erp="1", scan_freq="2412", wait_connect=False)
466 dev[0].wait_connected(timeout=10)
467 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
468 dev[0].request("REMOVE_NETWORK all")
469 dev[0].wait_disconnected()
471 for count in range(1, 3):
472 with alloc_fail(dev[0], count, "eap_home_realm"):
473 dev[0].request("ERP_FLUSH")
474 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
476 anonymous_identity="anonymous@example.com",
478 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
479 erp="1", scan_freq="2412", wait_connect=False)
480 dev[0].wait_connected(timeout=10)
481 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
482 dev[0].request("REMOVE_NETWORK all")
483 dev[0].wait_disconnected()
485 for count in range(1, 3):
486 dev[0].request("ERP_FLUSH")
487 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
488 identity="erp-ttls@example.com",
489 anonymous_identity="anonymous@example.com",
491 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
492 erp="1", scan_freq="2412", wait_connect=False)
493 dev[0].wait_connected(timeout=10)
496 with alloc_fail(dev[0], count, "eap_home_realm"):
497 dev[0].request("DISCONNECT")
498 dev[0].wait_disconnected(timeout=15)
499 dev[0].request("RECONNECT")
500 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
501 dev[0].request("REMOVE_NETWORK all")
502 dev[0].wait_disconnected()
504 def test_erp_local_errors(dev, apdev):
505 """ERP and local error cases"""
506 check_erp_capa(dev[0])
507 params = int_eap_server_params()
508 params['erp_send_reauth_start'] = '1'
509 params['erp_domain'] = 'example.com'
510 params['eap_server_erp'] = '1'
511 params['disable_pmksa_caching'] = '1'
512 hapd = hostapd.add_ap(apdev[0], params)
514 dev[0].request("ERP_FLUSH")
515 with alloc_fail(dev[0], 1, "eap_peer_erp_init"):
516 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
517 identity="erp-ttls@example.com",
518 anonymous_identity="anonymous@example.com",
520 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
521 erp="1", scan_freq="2412")
522 dev[0].request("REMOVE_NETWORK all")
523 dev[0].wait_disconnected()
525 for count in range(1, 6):
526 dev[0].request("ERP_FLUSH")
527 with fail_test(dev[0], count, "hmac_sha256_kdf;eap_peer_erp_init"):
528 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
529 identity="erp-ttls@example.com",
530 anonymous_identity="anonymous@example.com",
532 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
533 erp="1", scan_freq="2412")
534 dev[0].request("REMOVE_NETWORK all")
535 dev[0].wait_disconnected()
537 dev[0].request("ERP_FLUSH")
538 with alloc_fail(dev[0], 1, "eap_msg_alloc;eap_peer_erp_reauth_start"):
539 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
540 identity="erp-ttls@example.com",
541 anonymous_identity="anonymous@example.com",
543 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
544 erp="1", scan_freq="2412")
545 dev[0].request("DISCONNECT")
546 dev[0].wait_disconnected(timeout=15)
547 dev[0].request("RECONNECT")
548 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
549 dev[0].request("REMOVE_NETWORK all")
550 dev[0].wait_disconnected()
552 dev[0].request("ERP_FLUSH")
553 with fail_test(dev[0], 1, "hmac_sha256;eap_peer_erp_reauth_start"):
554 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
555 identity="erp-ttls@example.com",
556 anonymous_identity="anonymous@example.com",
558 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
559 erp="1", scan_freq="2412")
560 dev[0].request("DISCONNECT")
561 dev[0].wait_disconnected(timeout=15)
562 dev[0].request("RECONNECT")
563 wait_fail_trigger(dev[0], "GET_FAIL")
564 dev[0].request("REMOVE_NETWORK all")
565 dev[0].wait_disconnected()
567 dev[0].request("ERP_FLUSH")
568 with fail_test(dev[0], 1, "hmac_sha256;eap_peer_finish"):
569 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
570 identity="erp-ttls@example.com",
571 anonymous_identity="anonymous@example.com",
573 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
574 erp="1", scan_freq="2412")
575 dev[0].request("DISCONNECT")
576 dev[0].wait_disconnected(timeout=15)
577 dev[0].request("RECONNECT")
578 wait_fail_trigger(dev[0], "GET_FAIL")
579 dev[0].request("REMOVE_NETWORK all")
580 dev[0].wait_disconnected()
582 dev[0].request("ERP_FLUSH")
583 with alloc_fail(dev[0], 1, "eap_peer_erp_init"):
584 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
585 identity="erp-ttls@example.com",
586 anonymous_identity="anonymous@example.com",
588 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
589 erp="1", scan_freq="2412")
590 dev[0].request("DISCONNECT")
591 dev[0].wait_disconnected(timeout=15)
593 dev[0].request("ERP_FLUSH")
594 with alloc_fail(dev[0], 1, "eap_peer_finish"):
595 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
596 identity="erp-ttls@example.com",
597 anonymous_identity="anonymous@example.com",
599 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
600 erp="1", scan_freq="2412")
601 dev[0].request("DISCONNECT")
602 dev[0].wait_disconnected(timeout=15)
603 dev[0].request("RECONNECT")
604 wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
605 dev[0].request("REMOVE_NETWORK all")
606 dev[0].wait_disconnected()
608 dev[0].request("ERP_FLUSH")
609 with fail_test(dev[0], 1, "hmac_sha256_kdf;eap_peer_finish"):
610 dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
611 identity="erp-ttls@example.com",
612 anonymous_identity="anonymous@example.com",
614 ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
615 erp="1", scan_freq="2412")
616 dev[0].request("DISCONNECT")
617 dev[0].wait_disconnected(timeout=15)
618 dev[0].request("RECONNECT")
619 wait_fail_trigger(dev[0], "GET_FAIL")
620 dev[0].request("REMOVE_NETWORK all")
621 dev[0].wait_disconnected()