[awful patch] "Multiple levels of TLS nesting is invalid."

[Matt Bernstein]

So saith FreeRADIUS 2.1.1, but I wasn't trying to do multiple levels of 
TLS nesting. I'm trying to use virtual servers so that a single radiusd 
can terminate TTLS/PEAP for multiple subrealms, _and_ use the inner-tunnel 
trick, keeping the configs completely independent for each subrealm. This 
allows me to hook up different departments with different AAA 
infrastructures into one radius set-up for our eduroam service.

My "default" server has a pair of listen{} blocks, and little else:
        authorize {
                suffix
        }

        authenticate {
        }

So, rlm_realm finds my virtual servers in proxy.conf, eg:

        realm dcs.qmul.ac.uk {
                nostrip
                virtual_server = dcs
        }

..and "dcs" has its own EAP config, which references a virtual_server 
"dcs-inner" for the PEAP/TTLS innards, which has _its_ own EAP config.

My problem is that eap.c (line 219), as called by "dcs-inner", notices the 
request has a grandparent, and assumes it's multiple layers of TLS 
nesting. Interestingly, the comment omits the magic word "TLS". I think 
perhaps that the virtual servers appear to count as layers. Anyway, this 
braindead patch makes it work for me:

--- freeradius-server-2.1.1/src/modules/rlm_eap/eap.c.orig      2008-09-25 
09:41:26.000000000 +0100
+++ freeradius-server-2.1.1/src/modules/rlm_eap/eap.c   2008-10-14 
15:19:53.800553926 +0100
@@ -216,10 +216,13 @@
        /*
         *      Multiple levels of nesting are invalid.
         */
-       if (handler->request->parent && handler->request->parent->parent) {
-               RDEBUG2("Multiple levels of TLS nesting is invalid.");
+       if (handler->request->parent && handler->request->parent->parent && 
handler->request->parent->parent->parent ) {
+               RDEBUG2("Multiple levels of TLS nesting is really invalid.");
                return EAP_INVALID;
        }
+       if (handler->request->parent && handler->request->parent->parent) {
+               RDEBUG2("Multiple levels of nesting is thought invalid, continuing 
anyway.");
+       }

        /*
         *      Figure out what to do.

..and my "radiusd -X" output now looks like this:

Found Auth-Type = dcs-inner-eap
+- entering group authenticate {...}
[dcs-inner-eap] Request found, released from the list
[dcs-inner-eap] Multiple levels of nesting is thought invalid, continuing 
anyway.
[dcs-inner-eap] EAP/mschapv2
[dcs-inner-eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] No Cleartext-Password configured.  Cannot create LM-Password.
[mschap] Found NT-Password
[mschap] Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password
[mschap] adding MS-CHAPv2 MPPE keys
++[mschap] returns ok
MSCHAP Success
++[dcs-inner-eap] returns handled

So.. I hope this is useful. Do drop me a mail on- or off-list on
<mb/[EMAIL PROTECTED]>, if you want any further information or if 
I'm not being clear enough.

Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html