import time
import hostapd
-from utils import HwsimSkip
+from utils import HwsimSkip, alloc_fail, fail_test, wait_fail_trigger
from test_ap_eap import int_eap_server_params
from test_ap_psk import find_wpas_process, read_process_memory, verify_not_present, get_key_locations
params = hostapd.wpa2_eap_params(ssid="test-wpa2-eap")
params['erp_send_reauth_start'] = '1'
params['erp_domain'] = 'example.com'
- hapd = hostapd.add_ap(apdev[0]['ifname'], params)
+ hapd = hostapd.add_ap(apdev[0], params)
dev[0].request("ERP_FLUSH")
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
params['erp_send_reauth_start'] = '1'
params['erp_domain'] = 'example.com'
params['eap_server_erp'] = '1'
- hapd = hostapd.add_ap(apdev[0]['ifname'], params)
+ hapd = hostapd.add_ap(apdev[0], params)
dev[0].request("ERP_FLUSH")
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
params['erp_domain'] = 'example.com'
params['eap_server_erp'] = '1'
params['disable_pmksa_caching'] = '1'
- hapd = hostapd.add_ap(apdev[0]['ifname'], params)
+ hapd = hostapd.add_ap(apdev[0], params)
dev[0].request("ERP_FLUSH")
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
params['erp_domain'] = 'example.com'
params['eap_server_erp'] = '1'
params['disable_pmksa_caching'] = '1'
- hapd = hostapd.add_ap(apdev[0]['ifname'], params)
+ hapd = hostapd.add_ap(apdev[0], params)
dev[0].request("ERP_FLUSH")
id = dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
"eap_fast_a_id_info": "test server",
"eap_server_erp": "1",
"erp_domain": "example.com" }
- hostapd.add_ap(apdev['ifname'], params)
+ hostapd.add_ap(apdev, params)
def test_erp_radius(dev, apdev):
"""ERP enabled on RADIUS server and peer"""
params['erp_send_reauth_start'] = '1'
params['erp_domain'] = 'example.com'
params['disable_pmksa_caching'] = '1'
- hapd = hostapd.add_ap(apdev[0]['ifname'], params)
+ hapd = hostapd.add_ap(apdev[0], params)
dev[0].request("ERP_FLUSH")
dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP",
params['erp_send_reauth_start'] = '1'
params['erp_domain'] = 'example.com'
params['disable_pmksa_caching'] = '1'
- hapd = hostapd.add_ap(apdev[0]['ifname'], params)
+ hapd = hostapd.add_ap(apdev[0], params)
erp_test(dev[0], hapd, eap="AKA", identity="0232010000000000@example.com",
password="90dca4eda45b53cf0f12d7c9c3bc6a89:cb9cccc4b9258e6dca4760379fb82581:000000000123")
p['erp_domain'] = 'example.com'
p['eap_server_erp'] = '1'
p['disable_pmksa_caching'] = '1'
- hapd = hostapd.add_ap(apdev[0]['ifname'], p)
+ hapd = hostapd.add_ap(apdev[0], p)
password = "63d2d21ac3c09ed567ee004a34490f1d16e7fa5835edf17ddba70a63f1a90a25"
pid = find_wpas_process(dev[0])
ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
erp="1", scan_freq="2412")
+ # The decrypted copy of GTK is freed only after the CTRL-EVENT-CONNECTED
+ # event has been delivered, so verify that wpa_supplicant has returned to
+ # eloop before reading process memory.
time.sleep(1)
+ dev[0].ping()
buf = read_process_memory(pid, password)
dev[0].request("DISCONNECT")
if tk in buf:
raise Exception("TK found from memory")
if gtk in buf:
+ get_key_locations(buf, gtk, "GTK")
raise Exception("GTK found from memory")
logger.info("Checking keys in memory after disassociation")
get_key_locations(buf, rIK, "rIK")
verify_not_present(buf, rRK, fname, "rRK")
verify_not_present(buf, rIK, fname, "rIK")
+
+def test_erp_anonymous_identity(dev, apdev):
+ """ERP and anonymous identity"""
+ check_erp_capa(dev[0])
+ params = int_eap_server_params()
+ params['erp_send_reauth_start'] = '1'
+ params['erp_domain'] = 'example.com'
+ params['eap_server_erp'] = '1'
+ params['disable_pmksa_caching'] = '1'
+ hapd = hostapd.add_ap(apdev[0], params)
+
+ dev[0].request("ERP_FLUSH")
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+ identity="erp-ttls",
+ anonymous_identity="anonymous@example.com",
+ password="password",
+ ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
+ erp="1", scan_freq="2412")
+ for i in range(3):
+ dev[0].request("DISCONNECT")
+ dev[0].wait_disconnected(timeout=15)
+ dev[0].request("RECONNECT")
+ ev = dev[0].wait_event(["CTRL-EVENT-EAP-SUCCESS"], timeout=15)
+ if ev is None:
+ raise Exception("EAP success timed out")
+ if "EAP re-authentication completed successfully" not in ev:
+ raise Exception("Did not use ERP")
+ dev[0].wait_connected(timeout=15, error="Reconnection timed out")
+
+def test_erp_home_realm_oom(dev, apdev):
+ """ERP and home realm OOM"""
+ check_erp_capa(dev[0])
+ params = int_eap_server_params()
+ params['erp_send_reauth_start'] = '1'
+ params['erp_domain'] = 'example.com'
+ params['eap_server_erp'] = '1'
+ params['disable_pmksa_caching'] = '1'
+ hapd = hostapd.add_ap(apdev[0], params)
+
+ for count in range(1, 3):
+ with alloc_fail(dev[0], count, "eap_home_realm"):
+ dev[0].request("ERP_FLUSH")
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+ identity="erp-ttls@example.com",
+ anonymous_identity="anonymous@example.com",
+ password="password",
+ ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
+ erp="1", scan_freq="2412", wait_connect=False)
+ dev[0].wait_connected(timeout=10)
+ wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ for count in range(1, 3):
+ with alloc_fail(dev[0], count, "eap_home_realm"):
+ dev[0].request("ERP_FLUSH")
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+ identity="erp-ttls",
+ anonymous_identity="anonymous@example.com",
+ password="password",
+ ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
+ erp="1", scan_freq="2412", wait_connect=False)
+ dev[0].wait_connected(timeout=10)
+ wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ for count in range(1, 3):
+ dev[0].request("ERP_FLUSH")
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+ identity="erp-ttls@example.com",
+ anonymous_identity="anonymous@example.com",
+ password="password",
+ ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
+ erp="1", scan_freq="2412", wait_connect=False)
+ dev[0].wait_connected(timeout=10)
+ if range > 1:
+ continue
+ with alloc_fail(dev[0], count, "eap_home_realm"):
+ dev[0].request("DISCONNECT")
+ dev[0].wait_disconnected(timeout=15)
+ dev[0].request("RECONNECT")
+ wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+def test_erp_local_errors(dev, apdev):
+ """ERP and local error cases"""
+ check_erp_capa(dev[0])
+ params = int_eap_server_params()
+ params['erp_send_reauth_start'] = '1'
+ params['erp_domain'] = 'example.com'
+ params['eap_server_erp'] = '1'
+ params['disable_pmksa_caching'] = '1'
+ hapd = hostapd.add_ap(apdev[0], params)
+
+ dev[0].request("ERP_FLUSH")
+ with alloc_fail(dev[0], 1, "eap_peer_erp_init"):
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+ identity="erp-ttls@example.com",
+ anonymous_identity="anonymous@example.com",
+ password="password",
+ ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
+ erp="1", scan_freq="2412")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ for count in range(1, 6):
+ dev[0].request("ERP_FLUSH")
+ with fail_test(dev[0], count, "hmac_sha256_kdf;eap_peer_erp_init"):
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+ identity="erp-ttls@example.com",
+ anonymous_identity="anonymous@example.com",
+ password="password",
+ ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
+ erp="1", scan_freq="2412")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ dev[0].request("ERP_FLUSH")
+ with alloc_fail(dev[0], 1, "eap_msg_alloc;eap_peer_erp_reauth_start"):
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+ identity="erp-ttls@example.com",
+ anonymous_identity="anonymous@example.com",
+ password="password",
+ ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
+ erp="1", scan_freq="2412")
+ dev[0].request("DISCONNECT")
+ dev[0].wait_disconnected(timeout=15)
+ dev[0].request("RECONNECT")
+ wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ dev[0].request("ERP_FLUSH")
+ with fail_test(dev[0], 1, "hmac_sha256;eap_peer_erp_reauth_start"):
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+ identity="erp-ttls@example.com",
+ anonymous_identity="anonymous@example.com",
+ password="password",
+ ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
+ erp="1", scan_freq="2412")
+ dev[0].request("DISCONNECT")
+ dev[0].wait_disconnected(timeout=15)
+ dev[0].request("RECONNECT")
+ wait_fail_trigger(dev[0], "GET_FAIL")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ dev[0].request("ERP_FLUSH")
+ with fail_test(dev[0], 1, "hmac_sha256;eap_peer_finish"):
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+ identity="erp-ttls@example.com",
+ anonymous_identity="anonymous@example.com",
+ password="password",
+ ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
+ erp="1", scan_freq="2412")
+ dev[0].request("DISCONNECT")
+ dev[0].wait_disconnected(timeout=15)
+ dev[0].request("RECONNECT")
+ wait_fail_trigger(dev[0], "GET_FAIL")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ dev[0].request("ERP_FLUSH")
+ with alloc_fail(dev[0], 1, "eap_peer_erp_init"):
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+ identity="erp-ttls@example.com",
+ anonymous_identity="anonymous@example.com",
+ password="password",
+ ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
+ erp="1", scan_freq="2412")
+ dev[0].request("DISCONNECT")
+ dev[0].wait_disconnected(timeout=15)
+
+ dev[0].request("ERP_FLUSH")
+ with alloc_fail(dev[0], 1, "eap_peer_finish"):
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+ identity="erp-ttls@example.com",
+ anonymous_identity="anonymous@example.com",
+ password="password",
+ ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
+ erp="1", scan_freq="2412")
+ dev[0].request("DISCONNECT")
+ dev[0].wait_disconnected(timeout=15)
+ dev[0].request("RECONNECT")
+ wait_fail_trigger(dev[0], "GET_ALLOC_FAIL")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()
+
+ dev[0].request("ERP_FLUSH")
+ with fail_test(dev[0], 1, "hmac_sha256_kdf;eap_peer_finish"):
+ dev[0].connect("test-wpa2-eap", key_mgmt="WPA-EAP", eap="TTLS",
+ identity="erp-ttls@example.com",
+ anonymous_identity="anonymous@example.com",
+ password="password",
+ ca_cert="auth_serv/ca.pem", phase2="auth=PAP",
+ erp="1", scan_freq="2412")
+ dev[0].request("DISCONNECT")
+ dev[0].wait_disconnected(timeout=15)
+ dev[0].request("RECONNECT")
+ wait_fail_trigger(dev[0], "GET_FAIL")
+ dev[0].request("REMOVE_NETWORK all")
+ dev[0].wait_disconnected()