Encode EAP-Naks in expanded format if we got an expanded type request

Since methods defined by the IETF (vendor ID 0) could also be encoded in
expanded type format the previous check was insufficient.

diff --git a/src/libcharon/encoding/payloads/eap_payload.c b/src/libcharon/encoding/payloads/eap_payload.c
index 15a9972f2122ab9a9a74101d319b8a76f0df7955..855504fe0a199e67cba291d92a7b6f4e0c585d8b 100644 (file)
--- a/src/libcharon/encoding/payloads/eap_payload.c
+++ b/src/libcharon/encoding/payloads/eap_payload.c
@@ -241,6 +241,12 @@ METHOD(eap_payload_t, get_type, eap_type_t,
        return 0;
 }
 
+METHOD(eap_payload_t, is_expanded, bool,
+       private_eap_payload_t *this)
+{
+       return this->data.len > 4 ? this->data.ptr[4] == EAP_EXPANDED : FALSE;
+}
+
 METHOD2(payload_t, eap_payload_t, destroy, void,
        private_eap_payload_t *this)
 {
@@ -272,6 +278,7 @@ eap_payload_t *eap_payload_create()
                        .get_code = _get_code,
                        .get_identifier = _get_identifier,
                        .get_type = _get_type,
+                       .is_expanded = _is_expanded,
                        .destroy = _destroy,
                },
                .next_payload = NO_PAYLOAD,

diff --git a/src/libcharon/encoding/payloads/eap_payload.h b/src/libcharon/encoding/payloads/eap_payload.h
index d3c3fae28f6610ed8b0a6eb139b4e735c4a61a78..934983282092aecd63ea2f7e06df0a25c966b6f4 100644 (file)
--- a/src/libcharon/encoding/payloads/eap_payload.h
+++ b/src/libcharon/encoding/payloads/eap_payload.h
@@ -82,6 +82,13 @@ struct eap_payload_t {
         */
        eap_type_t (*get_type) (eap_payload_t *this, u_int32_t *vendor);
 
+       /**
+        * Check if the EAP method type is encoded in the Expanded Type format.
+        *
+        * @return                      TRUE if in Expanded Type format
+        */
+       bool (*is_expanded) (eap_payload_t *this);
+
        /**
         * Destroys an eap_payload_t object.
         */
@@ -129,8 +136,7 @@ eap_payload_t *eap_payload_create_code(eap_code_t code, u_int8_t identifier);
  * @param identifier   EAP identifier to use in payload
  * @param type                 preferred auth type, 0 to send all supported types
  * @param vendor               vendor identifier for auth type, 0 for default
- * @param expanded             TRUE to send an expanded Nak (as response to an expanded
- *                                             request, i.e. one with vendor specific type)
+ * @param expanded             TRUE to send an expanded Nak
  * @return                             eap_payload_t object
  */
 eap_payload_t *eap_payload_create_nak(u_int8_t identifier, eap_type_t type,

diff --git a/src/libcharon/plugins/eap_peap/eap_peap_peer.c b/src/libcharon/plugins/eap_peap/eap_peap_peer.c
index 5e19726725c4b7503b1f0d72f144a11f4e01f3b4..79fd667cb73ee8cfb1c8c9fb7c667d61ae7d2b07 100644 (file)
--- a/src/libcharon/plugins/eap_peap/eap_peap_peer.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap_peer.c
@@ -152,7 +152,7 @@ METHOD(tls_application_t, process, status_t,
                {
                        DBG1(DBG_IKE, "EAP method not supported");
                        this->out = eap_payload_create_nak(in->get_identifier(in), 0, 0,
-                                                                                          received_vendor != 0);
+                                                                                          in->is_expanded(in));
                        in->destroy(in);
                        return NEED_MORE;
                }

diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
index 811fe051b34d4952a317bcd3623635c168651de8..00a4da3f82a647cfeff4a320db09b734836f5d0b 100644 (file)
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
@@ -193,7 +193,7 @@ METHOD(tls_application_t, process, status_t,
                {
                        DBG1(DBG_IKE, "EAP method not supported");
                        this->out = eap_payload_create_nak(in->get_identifier(in), 0, 0,
-                                                                                          received_vendor != 0);
+                                                                                          in->is_expanded(in));
                        in->destroy(in);
                        return NEED_MORE;
                }

diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
index c9178d061e07c8d20efb0726b620eb0e41e2a84c..a340c04d7074b20eda88988c46269916c64170e3 100644 (file)
--- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
@@ -404,14 +404,14 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
                                         eap_type_names, conf_type);
                        }
                        return eap_payload_create_nak(in->get_identifier(in), conf_type,
-                                                                                 conf_vendor, vendor != 0);
+                                                                                 conf_vendor, in->is_expanded(in));
                }
                this->method = load_method(this, type, vendor, EAP_PEER);
                if (!this->method)
                {
                        DBG1(DBG_IKE, "EAP method not supported, sending EAP_NAK");
                        return eap_payload_create_nak(in->get_identifier(in), 0, 0,
-                                                                                 vendor != 0);
+                                                                                 in->is_expanded(in));
                }
        }