Encode EAP-Naks in expanded format if we got an expanded type request

Since methods defined by the IETF (vendor ID 0) could also be encoded in expanded type format the previous check was insufficient.
2012-08-23 08:36:24 +02:00 · 2012-08-23 08:36:24 +02:00 · cc4eec56f7
parent 78e8dca94f
commit cc4eec56f7
5 changed files with 19 additions and 6 deletions
--- a/src/libcharon/encoding/payloads/eap_payload.c
+++ b/src/libcharon/encoding/payloads/eap_payload.c
@ -241,6 +241,12 @@ METHOD(eap_payload_t, get_type, eap_type_t,
 	return 0;
 }

+METHOD(eap_payload_t, is_expanded, bool,
+	private_eap_payload_t *this)
+{
+	return this->data.len > 4 ? this->data.ptr[4] == EAP_EXPANDED : FALSE;
+}
+
 METHOD2(payload_t, eap_payload_t, destroy, void,
 	private_eap_payload_t *this)
 {
@ -272,6 +278,7 @@ eap_payload_t *eap_payload_create()
 			.get_code = _get_code,
 			.get_identifier = _get_identifier,
 			.get_type = _get_type,
+			.is_expanded = _is_expanded,
 			.destroy = _destroy,
 		},
 		.next_payload = NO_PAYLOAD,
--- a/src/libcharon/encoding/payloads/eap_payload.h
+++ b/src/libcharon/encoding/payloads/eap_payload.h
@ -82,6 +82,13 @@ struct eap_payload_t {
 	 */
 	eap_type_t (*get_type) (eap_payload_t *this, u_int32_t *vendor);

+	/**
+	 * Check if the EAP method type is encoded in the Expanded Type format.
+	 *
+	 * @return			TRUE if in Expanded Type format
+	 */
+	bool (*is_expanded) (eap_payload_t *this);
+
 	/**
 	 * Destroys an eap_payload_t object.
 	 */
@ -129,8 +136,7 @@ eap_payload_t *eap_payload_create_code(eap_code_t code, u_int8_t identifier);
 * @param identifier	EAP identifier to use in payload
 * @param type			preferred auth type, 0 to send all supported types
 * @param vendor		vendor identifier for auth type, 0 for default
- * @param expanded		TRUE to send an expanded Nak (as response to an expanded
- * 						request, i.e. one with vendor specific type)
+ * @param expanded		TRUE to send an expanded Nak
 * @return 				eap_payload_t object
 */
 eap_payload_t *eap_payload_create_nak(u_int8_t identifier, eap_type_t type,
--- a/src/libcharon/plugins/eap_peap/eap_peap_peer.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap_peer.c
@ -152,7 +152,7 @@ METHOD(tls_application_t, process, status_t,
 		{
 			DBG1(DBG_IKE, "EAP method not supported");
 			this->out = eap_payload_create_nak(in->get_identifier(in), 0, 0,
-											   received_vendor != 0);
+											   in->is_expanded(in));
 			in->destroy(in);
 			return NEED_MORE;
 		}
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
@ -193,7 +193,7 @@ METHOD(tls_application_t, process, status_t,
 		{
 			DBG1(DBG_IKE, "EAP method not supported");
 			this->out = eap_payload_create_nak(in->get_identifier(in), 0, 0,
-											   received_vendor != 0);
+											   in->is_expanded(in));
 			in->destroy(in);
 			return NEED_MORE;
 		}
--- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
@ -404,14 +404,14 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
 					 eap_type_names, conf_type);
 			}
 			return eap_payload_create_nak(in->get_identifier(in), conf_type,
-										  conf_vendor, vendor != 0);
+										  conf_vendor, in->is_expanded(in));
 		}
 		this->method = load_method(this, type, vendor, EAP_PEER);
 		if (!this->method)
 		{
 			DBG1(DBG_IKE, "EAP method not supported, sending EAP_NAK");
 			return eap_payload_create_nak(in->get_identifier(in), 0, 0,
-										  vendor != 0);
+										  in->is_expanded(in));
 		}
 	}