mostly parsing eavp extensions

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2025-05-24 02:13:35 +02:00
parent fb01a117ad
commit f1101e0c01
4 changed files with 48 additions and 7 deletions
--- a/internal/outpost/radius/eap/protocol/eap/payload.go
+++ b/internal/outpost/radius/eap/protocol/eap/payload.go
@ -46,12 +46,14 @@ func (p *Payload) Decode(raw []byte) error {
 	}
 	log.WithField("raw", debug.FormatBytes(raw)).Trace("EAP: decode raw")
 	p.RawPayload = raw[5:]
-	pp, _, err := EmptyPayload(p.Settings, p.MsgType)
-	if err != nil {
-		return err
+	if p.Payload == nil {
+		pp, _, err := EmptyPayload(p.Settings, p.MsgType)
+		if err != nil {
+			return err
+		}
+		p.Payload = pp
 	}
-	p.Payload = pp
-	err = p.Payload.Decode(raw[5:])
+	err := p.Payload.Decode(raw[5:])
 	if err != nil {
 		return err
 	}
--- a/internal/outpost/radius/eap/protocol/peap/extension.go
+++ b/internal/outpost/radius/eap/protocol/peap/extension.go
@ -1,7 +1,7 @@
 package peap

 import (
-	"errors"
+	"encoding/binary"

 	log "github.com/sirupsen/logrus"
 	"goauthentik.io/internal/outpost/radius/eap/protocol"
@ -14,7 +14,21 @@ type ExtensionPayload struct {
 }

 func (ep *ExtensionPayload) Decode(raw []byte) error {
-	return errors.New("PEAP: Extension Payload does not support decoding")
+	ep.AVPs = []ExtensionAVP{}
+	offset := 0
+	for {
+		if len(raw[offset:]) < 4 {
+			return nil
+		}
+		len := binary.BigEndian.Uint16(raw[offset+2:offset+2+2]) + ExtensionHeaderSize
+		avp := &ExtensionAVP{}
+		err := avp.Decode(raw[offset : offset+int(len)])
+		if err != nil {
+			return err
+		}
+		ep.AVPs = append(ep.AVPs, *avp)
+		offset = offset + int(len)
+	}
 }

 func (ep *ExtensionPayload) Encode() ([]byte, error) {
--- a/internal/outpost/radius/eap/protocol/peap/extension_avp.go
+++ b/internal/outpost/radius/eap/protocol/peap/extension_avp.go
@ -2,6 +2,7 @@ package peap

 import (
 	"encoding/binary"
+	"fmt"
 )

 type AVPType uint16
@ -10,6 +11,8 @@ const (
 	AVPAckResult AVPType = 3
 )

+const ExtensionHeaderSize = 4
+
 type ExtensionAVP struct {
 	Mandatory bool
 	Type      AVPType // 14-bit field
@ -17,6 +20,22 @@ type ExtensionAVP struct {
 	Value     []byte
 }

+func (eavp *ExtensionAVP) Decode(raw []byte) error {
+	typ := binary.BigEndian.Uint16(raw[:2])
+	// TODO fix this
+	if typ&0b1000000000000000 == 0 {
+		eavp.Mandatory = true
+	}
+	// TODO: Check reserved bit
+	eavp.Type = AVPType(typ & 0b0011111111111111)
+	eavp.Length = binary.BigEndian.Uint16(raw[2:4])
+	val := raw[4:]
+	if eavp.Length != uint16(len(val)) {
+		return fmt.Errorf("PEAP-Extension: Invalid length: %d, should be %d", eavp.Length, len(val))
+	}
+	return nil
+}
+
 func (eavp ExtensionAVP) Encode() []byte {
 	buff := []byte{
 		0,
--- a/internal/outpost/radius/eap/protocol/peap/payload.go
+++ b/internal/outpost/radius/eap/protocol/peap/payload.go
@ -80,6 +80,12 @@ func (p *Payload) eapInnerDecode(ctx protocol.Context) (*eap.Payload, error) {
 	fullLength := len(p.raw) + len(fixedRaw)
 	binary.BigEndian.PutUint16(fixedRaw[2:], uint16(fullLength))
 	fixedRaw = append(fixedRaw, p.raw...)
+	// If the raw data has a msgtype set to type 33 (EAP extension), decode differently
+	if len(p.raw) > 5 && p.raw[4] == byte(TypePEAPExtension) {
+		ep.Payload = &ExtensionPayload{}
+		// Pass original raw data to EAP as extension payloads are encoded like normal EAP packets
+		fixedRaw = p.raw
+	}
 	err := ep.Decode(fixedRaw)
 	if err != nil {
 		return nil, err