From 2a567ccc854e980f2443aac948c8fd9037add430 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens@goauthentik.io>
Date: Fri, 23 May 2025 23:12:40 +0200
Subject: [PATCH] peap: fix encode

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 internal/outpost/radius/eap/handler.go        |  6 +----
 .../radius/eap/protocol/peap/payload.go       | 23 +++++++++++++------
 2 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/internal/outpost/radius/eap/handler.go b/internal/outpost/radius/eap/handler.go
index 0420e1f53d..7774546686 100644
--- a/internal/outpost/radius/eap/handler.go
+++ b/internal/outpost/radius/eap/handler.go
@@ -34,7 +34,7 @@ func (p *Packet) HandleRadiusPacket(w radius.ResponseWriter, r *radius.Request)
 	p.state = rst
 
 	rp := &Packet{r: r}
-	rep, err := p.handleInner()
+	rep, err := p.handleEAP(p.eap, p.stm)
 	rp.eap = rep
 
 	rres := r.Response(radius.CodeAccessReject)
@@ -155,10 +155,6 @@ func (p *Packet) handleEAP(pp protocol.Payload, stm protocol.StateManager) (*eap
 	return res, nil
 }
 
-func (p *Packet) handleInner() (*eap.Payload, error) {
-	return p.handleEAP(p.eap, p.stm)
-}
-
 func (p *Packet) setMessageAuthenticator(rp *radius.Packet) error {
 	_ = rfc2869.MessageAuthenticator_Set(rp, make([]byte, 16))
 	hash := hmac.New(md5.New, rp.Secret)
diff --git a/internal/outpost/radius/eap/protocol/peap/payload.go b/internal/outpost/radius/eap/protocol/peap/payload.go
index 54721420eb..7ead7bfd3b 100644
--- a/internal/outpost/radius/eap/protocol/peap/payload.go
+++ b/internal/outpost/radius/eap/protocol/peap/payload.go
@@ -2,6 +2,7 @@ package peap
 
 import (
 	"encoding/binary"
+	"errors"
 	"fmt"
 
 	log "github.com/sirupsen/logrus"
@@ -45,9 +46,21 @@ func (p *Payload) Decode(raw []byte) error {
 	return nil
 }
 
+// Inner EAP packets in PEAP may not include the header, hence we need a custom decoder
+// https://datatracker.ietf.org/doc/html/draft-kamath-pppext-peapv0-00.txt#section-1.1
 func (p *Payload) Encode() ([]byte, error) {
-	log.Debug("PEAP: Encode")
-	return p.eap.Encode()
+	log.Debug("PEAP: Encoding inner EAP")
+	if p.eap.Payload == nil {
+		return []byte{}, errors.New("peap: no payload in response eap packet")
+	}
+	payload, err := p.eap.Payload.Encode()
+	if err != nil {
+		return []byte{}, err
+	}
+	encoded := []byte{
+		byte(p.eap.MsgType),
+	}
+	return append(encoded, payload...), nil
 }
 
 // Inner EAP packets in PEAP may not include the header, hence we need a custom decoder
@@ -74,10 +87,6 @@ func (p *Payload) eapInnerDecode(ctx protocol.Context) (*eap.Payload, error) {
 	return ep, nil
 }
 
-func (p *Payload) eapEncodeInner(ctx protocol.Context) ([]byte, error) {
-	return []byte{}, nil
-}
-
 func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
 	defer func() {
 		ctx.SetProtocolState(TypePEAP, p.st)
@@ -115,7 +124,7 @@ func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
 	if err != nil {
 		ctx.Log().WithError(err).Warning("PEAP: failed to handle inner EAP")
 	}
-	return res
+	return &Payload{eap: res.(*eap.Payload)}
 }
 
 func (p *Payload) GetEAPSettings() protocol.Settings {