Encode EAP-Naks in expanded format if we got an expanded type request

Since methods defined by the IETF (vendor ID 0) could also be encoded in
expanded type format the previous check was insufficient.

5 files changed, 19 insertions, 6 deletions

diff --git a/src/libcharon/encoding/payloads/eap_payload.c b/src/libcharon/encoding/payloads/eap_payload.c
index 15a9972f2..855504fe0 100644
--- a/src/libcharon/encoding/payloads/eap_payload.c
+++ b/src/libcharon/encoding/payloads/eap_payload.c
@@ -241,6 +241,12 @@ METHOD(eap_payload_t, get_type, eap_type_t,
 	return 0;
 }
 
+METHOD(eap_payload_t, is_expanded, bool,
+	private_eap_payload_t *this)
+{
+	return this->data.len > 4 ? this->data.ptr[4] == EAP_EXPANDED : FALSE;
+}
+
 METHOD2(payload_t, eap_payload_t, destroy, void,
 	private_eap_payload_t *this)
 {
@@ -272,6 +278,7 @@ eap_payload_t *eap_payload_create()
 			.get_code = _get_code,
 			.get_identifier = _get_identifier,
 			.get_type = _get_type,
+			.is_expanded = _is_expanded,
 			.destroy = _destroy,
 		},
 		.next_payload = NO_PAYLOAD,
diff --git a/src/libcharon/encoding/payloads/eap_payload.h b/src/libcharon/encoding/payloads/eap_payload.h
index d3c3fae28..934983282 100644
--- a/src/libcharon/encoding/payloads/eap_payload.h
+++ b/src/libcharon/encoding/payloads/eap_payload.h
@@ -83,6 +83,13 @@ struct eap_payload_t {
 	eap_type_t (*get_type) (eap_payload_t *this, u_int32_t *vendor);
 
 	/**
+	 * Check if the EAP method type is encoded in the Expanded Type format.
+	 *
+	 * @return			TRUE if in Expanded Type format
+	 */
+	bool (*is_expanded) (eap_payload_t *this);
+
+	/**
 	 * Destroys an eap_payload_t object.
 	 */
 	void (*destroy) (eap_payload_t *this);
@@ -129,8 +136,7 @@ eap_payload_t *eap_payload_create_code(eap_code_t code, u_int8_t identifier);
  * @param identifier	EAP identifier to use in payload
  * @param type			preferred auth type, 0 to send all supported types
  * @param vendor		vendor identifier for auth type, 0 for default
- * @param expanded		TRUE to send an expanded Nak (as response to an expanded
- * 						request, i.e. one with vendor specific type)
+ * @param expanded		TRUE to send an expanded Nak
  * @return 				eap_payload_t object
  */
 eap_payload_t *eap_payload_create_nak(u_int8_t identifier, eap_type_t type,
diff --git a/src/libcharon/plugins/eap_peap/eap_peap_peer.c b/src/libcharon/plugins/eap_peap/eap_peap_peer.c
index 5e1972672..79fd667cb 100644
--- a/src/libcharon/plugins/eap_peap/eap_peap_peer.c
+++ b/src/libcharon/plugins/eap_peap/eap_peap_peer.c
@@ -152,7 +152,7 @@ METHOD(tls_application_t, process, status_t,
 		{
 			DBG1(DBG_IKE, "EAP method not supported");
 			this->out = eap_payload_create_nak(in->get_identifier(in), 0, 0,
-											   received_vendor != 0);
+											   in->is_expanded(in));
 			in->destroy(in);
 			return NEED_MORE;
 		}
diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
index 811fe051b..00a4da3f8 100644
--- a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
+++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c
@@ -193,7 +193,7 @@ METHOD(tls_application_t, process, status_t,
 		{
 			DBG1(DBG_IKE, "EAP method not supported");
 			this->out = eap_payload_create_nak(in->get_identifier(in), 0, 0,
-											   received_vendor != 0);
+											   in->is_expanded(in));
 			in->destroy(in);
 			return NEED_MORE;
 		}
diff --git a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
index c9178d061..a340c04d7 100644
--- a/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/eap_authenticator.c
@@ -404,14 +404,14 @@ static eap_payload_t* client_process_eap(private_eap_authenticator_t *this,
 					 eap_type_names, conf_type);
 			}
 			return eap_payload_create_nak(in->get_identifier(in), conf_type,
-										  conf_vendor, vendor != 0);
+										  conf_vendor, in->is_expanded(in));
 		}
 		this->method = load_method(this, type, vendor, EAP_PEER);
 		if (!this->method)
 		{
 			DBG1(DBG_IKE, "EAP method not supported, sending EAP_NAK");
 			return eap_payload_create_nak(in->get_identifier(in), 0, 0,
-										  vendor != 0);
+										  in->is_expanded(in));
 		}
 	}