tests: Include Message-Authenticator attribute in RADIUS tests

This is in preparation for hostapd requiring this attribute for all cases. Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-17 11:10:16 +02:00 · 2024-03-17 11:10:16 +02:00 · 566dc139a0
commit 566dc139a0
parent 2846b74f14
2 changed files with 21 additions and 15 deletions
--- a/tests/hwsim/test_eap_proto.py
+++ b/tests/hwsim/test_eap_proto.py
@ -82,6 +82,22 @@ def add_message_authenticator_attr(reply, digest):
        digest = b"0x" + binascii.hexlify(digest)
    reply.AddAttribute("Message-Authenticator", digest)

+def build_message_auth(pkt, reply):
+    hmac_obj = hmac.new(reply.secret, digestmod=hashlib.md5)
+    hmac_obj.update(struct.pack("B", reply.code))
+    hmac_obj.update(struct.pack("B", reply.id))
+
+    reply.AddAttribute("Message-Authenticator", 16*b'\x00')
+    attrs = reply._PktEncodeAttributes()
+
+    # Length
+    flen = 4 + 16 + len(attrs)
+    hmac_obj.update(struct.pack(">H", flen))
+    hmac_obj.update(pkt.authenticator)
+    hmac_obj.update(attrs)
+    del reply[80]
+    add_message_authenticator_attr(reply, hmac_obj.digest())
+
 def run_pyrad_server(srv, t_stop, eap_handler):
    srv.RunWithStop(t_stop, eap_handler)

@ -113,21 +129,8 @@ def start_radius_server(eap_handler):
                logger.info("No EAP request available")
            reply.code = pyrad.packet.AccessChallenge

-            hmac_obj = hmac.new(reply.secret, digestmod=hashlib.md5)
-            hmac_obj.update(struct.pack("B", reply.code))
-            hmac_obj.update(struct.pack("B", reply.id))
-
            # reply attributes
-            reply.AddAttribute("Message-Authenticator", 16*b'\x00')
-            attrs = reply._PktEncodeAttributes()
-
-            # Length
-            flen = 4 + 16 + len(attrs)
-            hmac_obj.update(struct.pack(">H", flen))
-            hmac_obj.update(pkt.authenticator)
-            hmac_obj.update(attrs)
-            del reply[80]
-            add_message_authenticator_attr(reply, hmac_obj.digest())
+            build_message_auth(pkt, reply)

            self.SendReplyPacket(pkt.fd, reply)

--- a/tests/hwsim/test_radius.py
+++ b/tests/hwsim/test_radius.py
@ -22,7 +22,7 @@ import hostapd
 from utils import *
 from test_ap_hs20 import build_dhcp_ack
 from test_ap_ft import ft_params1
-from test_eap_proto import add_message_authenticator_attr
+from test_eap_proto import add_message_authenticator_attr, build_message_auth

 def connect(dev, ssid, wait_connect=True):
    dev.connect(ssid, key_mgmt="WPA-EAP", scan_freq="2412",
@ -1233,6 +1233,8 @@ def start_radius_psk_server(psk, invalid_code=False, acct_interim_interval=0,
            if self.t_events['session_timeout']:
                reply.AddAttribute("Session-Timeout",
                                   self.t_events['session_timeout'])
+            build_message_auth(pkt, reply)
+
            self.SendReplyPacket(pkt.fd, reply)

        def RunWithStop(self, t_events):
@ -1587,6 +1589,7 @@ def test_ap_vlan_wpa2_psk_radius_required(dev, apdev):
                reply.AddAttribute("Tunnel-Type", 13)
                reply.AddAttribute("Tunnel-Medium-Type", 6)
                reply.AddAttribute("Tunnel-Private-Group-ID", "1")
+            build_message_auth(pkt, reply)
            self.SendReplyPacket(pkt.fd, reply)

        def RunWithStop(self, t_events):