working PEAP decode

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2025-05-21 10:25:00 +02:00
parent ee234ea3aa
commit 4571f5e644
5 changed files with 55 additions and 27 deletions
--- a/internal/outpost/radius/eap/protocol/peap/payload.go
+++ b/internal/outpost/radius/eap/protocol/peap/payload.go
@ -1,6 +1,8 @@
 package peap

 import (
+	"encoding/binary"
+
 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/internal/outpost/radius/eap/debug"
 	"goauthentik.io/internal/outpost/radius/eap/protocol"
@ -45,6 +47,28 @@ func (p *Payload) Encode() ([]byte, error) {
 	return p.eap.Encode()
 }

+// Inner EAP packets in PEAP may not include the header, hence we need a custom decoder
+// https://datatracker.ietf.org/doc/html/draft-kamath-pppext-peapv0-00.txt#section-1.1
+func (p *Payload) eapInnerDecode(ctx protocol.Context) (*eap.Payload, error) {
+	ep := &eap.Payload{}
+	rootEap := ctx.RootPayload().(*eap.Payload)
+	fixedRaw := []byte{
+		byte(rootEap.Code),
+		rootEap.ID,
+		// 2 byte space for length
+		0,
+		0,
+	}
+	fullLength := len(p.raw) + len(fixedRaw)
+	binary.BigEndian.PutUint16(fixedRaw[2:], uint16(fullLength))
+	fixedRaw = append(fixedRaw, p.raw...)
+	err := ep.Decode(fixedRaw)
+	if err != nil {
+		return nil, err
+	}
+	return ep, nil
+}
+
 func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
 	defer func() {
 		ctx.SetProtocolState(TypePEAP, p.st)
@ -64,13 +88,15 @@ func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
 	}
 	p.st = ctx.GetProtocolState(TypePEAP).(*State)

-	ep := &eap.Payload{}
-	err := ep.Decode(p.raw)
+	ep, err := p.eapInnerDecode(ctx)
 	if err != nil {
 		ctx.Log().WithError(err).Warning("PEAP: failed to decode inner EAP")
-		return &Payload{}
+		return &eap.Payload{
+			Code: protocol.CodeFailure,
+			ID:   rootEap.ID + 1,
+		}
 	}
-	return &Payload{}
+	return ep
 }

 func (p *Payload) Offerable() bool {