tests: Work around pyrad issues with octet strings that start with "0x"

pyrad's tools.py EncodeOctets() uses a design that tries to
automatically determine when the octetstring is a hex string based on
the binary data starting with "0x". That is not really nice since it
will result in failing one out of 65536 possible random inputs with
"binascii.Error: Non-hexadecimal digit found" when trying to decode an
actual (non-hex) binary string as a hexstring.

Work around this by convering the special cases where the
Message-Authenticator binary value happens to start with b"0x" to a
hexstring.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>

tests/hwsim/test_eap_proto.py

@@ -74,6 +74,14 @@ EAP_ERP_TLV_NAS_IDENTIFIER = 130
 EAP_ERP_TLV_NAS_IP_ADDRESS = 131
 EAP_ERP_TLV_NAS_IPV6_ADDRESS = 132
 
+def add_message_authenticator_attr(reply, digest):
+    if digest.startswith(b'0x'):
+        # Work around pyrad tools.py EncodeOctets() functionality that
+        # assumes a binary value that happens to start with "0x" to be
+        # a hex string.
+        digest = b"0x" + binascii.hexlify(digest)
+    reply.AddAttribute("Message-Authenticator", digest)
+
 def run_pyrad_server(srv, t_stop, eap_handler):
     srv.RunWithStop(t_stop, eap_handler)
 
@@ -119,7 +127,7 @@ def start_radius_server(eap_handler):
             hmac_obj.update(pkt.authenticator)
             hmac_obj.update(attrs)
             del reply[80]
-            reply.AddAttribute("Message-Authenticator", hmac_obj.digest())
+            add_message_authenticator_attr(reply, hmac_obj.digest())
 
             self.SendReplyPacket(pkt.fd, reply)
 

tests/hwsim/test_radius.py

@@ -21,6 +21,7 @@ import hostapd
 from utils import *
 from test_ap_hs20 import build_dhcp_ack
 from test_ap_ft import ft_params1
+from test_eap_proto import add_message_authenticator_attr
 
 def connect(dev, ssid, wait_connect=True):
     dev.connect(ssid, key_mgmt="WPA-EAP", scan_freq="2412",
@@ -791,7 +792,7 @@ def add_message_auth_req(req):
     hmac_obj.update(16*b"\x00") # all zeros Authenticator in calculation
     hmac_obj.update(attrs)
     del req[80]
-    req.AddAttribute("Message-Authenticator", hmac_obj.digest())
+    add_message_authenticator_attr(req, hmac_obj.digest())
 
 def test_radius_das_disconnect_time_window(dev, apdev):
     """RADIUS Dynamic Authorization Extensions - Disconnect - time window"""
@@ -1077,7 +1078,7 @@ def test_radius_protocol(dev, apdev):
                     logger.info("Include two Message-Authenticator attributes")
                 else:
                     del reply[80]
-                reply.AddAttribute("Message-Authenticator", hmac_obj.digest())
+                add_message_authenticator_attr(reply, hmac_obj.digest())
             self.SendReplyPacket(pkt.fd, reply)
 
         def RunWithStop(self, t_events):
@@ -1477,7 +1478,7 @@ def add_message_auth(req):
     hmac_obj.update(req.authenticator)
     hmac_obj.update(attrs)
     del req[80]
-    req.AddAttribute("Message-Authenticator", hmac_obj.digest())
+    add_message_authenticator_attr(req, hmac_obj.digest())
 
 def test_radius_server_failures(dev, apdev):
     """RADIUS server failure cases"""