encode extension AVPs

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

internal/outpost/radius/eap/protocol/mschapv2/payload.go

@@ -127,6 +127,7 @@ func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
 			return nil
 		}
 		ctx.Log().Info("MSCHAPv2: Successfully checked password")
+		p.st.Authenticated = true
 		succ := &SuccessRequest{
 			Payload: &Payload{
 				OpCode: OpSuccess,
@@ -134,7 +135,7 @@ func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
 			Authenticator: auth,
 		}
 		return succ
-	} else if p.OpCode == OpSuccess {
+	} else if p.OpCode == OpSuccess && p.st.Authenticated {
 		return &peap.ExtensionPayload{
 			AVPs: []peap.ExtensionAVP{
 				{

internal/outpost/radius/eap/protocol/mschapv2/state.go

@@ -3,4 +3,5 @@ package mschapv2
 type State struct {
 	Challenge     []byte
 	PeerChallenge []byte
+	Authenticated bool
 }

internal/outpost/radius/eap/protocol/peap/extension.go

@@ -3,6 +3,7 @@ package peap
 import (
 	"errors"
 
+	log "github.com/sirupsen/logrus"
 	"goauthentik.io/internal/outpost/radius/eap/protocol"
 )
 
@@ -17,7 +18,12 @@ func (ep *ExtensionPayload) Decode(raw []byte) error {
 }
 
 func (ep *ExtensionPayload) Encode() ([]byte, error) {
-	return []byte{}, nil
+	log.Debug("PEAP: Extension encode")
+	buff := []byte{}
+	for _, avp := range ep.AVPs {
+		buff = append(buff, avp.Encode()...)
+	}
+	return buff, nil
 }
 
 func (ep *ExtensionPayload) Handle(protocol.Context) protocol.Payload {

internal/outpost/radius/eap/protocol/peap/extension_avp.go

@@ -1,6 +1,8 @@
 package peap
 
-import "encoding/binary"
+import (
+	"encoding/binary"
+)
 
 type AVPType uint16
 
@@ -29,7 +31,7 @@ func (eavp ExtensionAVP) Encode() []byte {
 	}
 	// The next bit is reserved and should always be set to 0
 	t = t & 0b1011111111111111
-	binary.BigEndian.AppendUint16(buff, t)
-	binary.BigEndian.AppendUint16(buff[2:], uint16(len(eavp.Value)))
+	binary.BigEndian.PutUint16(buff[0:], t)
+	binary.BigEndian.PutUint16(buff[2:], uint16(len(eavp.Value)))
 	return append(buff, eavp.Value...)
 }

internal/outpost/radius/eap/protocol/peap/payload.go

@@ -124,7 +124,16 @@ func (p *Payload) Handle(ctx protocol.Context) protocol.Payload {
 	if err != nil {
 		ctx.Log().WithError(err).Warning("PEAP: failed to handle inner EAP")
 	}
-	return &Payload{eap: res.(*eap.Payload)}
+	// Normal payloads need to be wrapped in PEAP to use the correct encoding (see Encode() above)
+	// Extension payloads handle encoding differently
+	pres := res.(*eap.Payload)
+	if _, ok := pres.Payload.(*ExtensionPayload); ok {
+		// HandleInnerEAP will set the MsgType to the PEAP type, however we need to override that
+		pres.MsgType = TypePEAPExtension
+		ctx.Log().Debug("PEAP: Encoding response as extension")
+		return res
+	}
+	return &Payload{eap: pres}
 }
 
 func (p *Payload) GetEAPSettings() protocol.Settings {