Avoid spurious User-Name errors on EAP-TLS

author Nick Porter <nick@portercomputing.co.uk>

Mon, 14 Jul 2025 15:50:02 +0000 (16:50 +0100)

committer Nick Porter <nick@portercomputing.co.uk>

Mon, 14 Jul 2025 15:50:32 +0000 (16:50 +0100)
author Nick Porter <nick@portercomputing.co.uk>
Mon, 14 Jul 2025 15:50:02 +0000 (16:50 +0100)
committer Nick Porter <nick@portercomputing.co.uk>
Mon, 14 Jul 2025 15:50:32 +0000 (16:50 +0100)
diff --git a/src/include/radiusd.h b/src/include/radiusd.h

index 790fcaabe85a06bdc9f43a1c8a8587c9c8372ea9..e442b99c19aa3989e117a8c07cc1719162d303a2 100644 (file)
--- a/src/include/radiusd.h
+++ b/src/include/radiusd.h
@@ -496,7 +496,7 @@ void                version_print(void);
  char   *auth_name(char *buf, size_t buflen, REQUEST *request, bool do_cli);
  int            rad_authenticate (REQUEST *);
  int            rad_postauth(REQUEST *);
-int            rad_virtual_server(REQUEST *);
+int            rad_virtual_server(REQUEST *, bool check_username);
  
  /* exec.c */
  pid_t radius_start_program(char const *cmd, REQUEST *request, bool exec_wait,
diff --git a/src/main/auth.c b/src/main/auth.c

index 5fa400b9968f5ca6f196aad2b9b4eb7e39213646..395680635498c92cdf29db1931f3d7f1093663b8 100644 (file)
--- a/src/main/auth.c
+++ b/src/main/auth.c
@@ -732,7 +732,7 @@ authenticate:
   *     Run a virtual server auth and postauth
   *
   */
-int rad_virtual_server(REQUEST *request)
+int rad_virtual_server(REQUEST *request, bool check_username)
  {
         VALUE_PAIR *vp;
         int result;
@@ -747,7 +747,7 @@ int rad_virtual_server(REQUEST *request)
         /*
          *      Complain about possible issues related to tunnels.
          */
-       if (request->parent && request->parent->username && request->username) {
+       if (request->parent && request->parent->username && request->username && check_username) {
                 /*
                  *      Look at the full User-Name with realm.
                  */
diff --git a/src/main/unittest.c b/src/main/unittest.c

index feb72d6598abb0f1aff5a0a1f37637051701aeca..1abf1105ac962fa1c47ff54e9e77fb069ce8bc3b 100644 (file)
--- a/src/main/unittest.c
+++ b/src/main/unittest.c
@@ -909,7 +909,7 @@ int main(int argc, char *argv[])
                 fclose(fp);
         }
  
-       rad_virtual_server(request);
+       rad_virtual_server(request, true);
  
         if (!output_file || (strcmp(output_file, "-") == 0)) {
                 fp = stdout;
diff --git a/src/modules/rlm_eap/libeap/eap_chbind.c b/src/modules/rlm_eap/libeap/eap_chbind.c

index 21b258410cf2b4293a37aebb49d2adeaeba74ca2..5237b2a8cea72f7970f59edc5e698553ca9c47c5 100644 (file)
--- a/src/modules/rlm_eap/libeap/eap_chbind.c
+++ b/src/modules/rlm_eap/libeap/eap_chbind.c
@@ -207,7 +207,7 @@ PW_CODE chbind_process(REQUEST *request, CHBIND_REQ *chbind)
         fake->server = "channel_bindings";
         fake->packet->code = PW_CODE_ACCESS_REQUEST;
  
-       switch (rad_virtual_server(fake)) {
+       switch (rad_virtual_server(fake, true)) {
                 /* If rad_authenticate succeeded, build a reply */
         case RLM_MODULE_OK:
         case RLM_MODULE_HANDLED:
diff --git a/src/modules/rlm_eap/radeapclient.c b/src/modules/rlm_eap/radeapclient.c

index 66d9f040f924a56bd92169663dccf8cbdae3f7d2..82b17a0b48cdee3bb0fda1d8037e1c69681e0cae 100644 (file)
--- a/src/modules/rlm_eap/radeapclient.c
+++ b/src/modules/rlm_eap/radeapclient.c
@@ -246,7 +246,7 @@ static const FR_NAME_NUMBER rc_request_types[] = {
         { NULL, 0}
  };
  
-int rad_virtual_server(REQUEST UNUSED *request)
+int rad_virtual_server(REQUEST UNUSED *request, bool UNUSED check_username)
  {
    /*We're not the server so we cannot do this*/
    abort();
diff --git a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c

index 0d0b6c970cee8806ac3480f02509c8bdfa291098..39c2725a352e8dd5c4df048967468ecd06f421bb 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
+++ b/src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
@@ -834,7 +834,7 @@ static rlm_rcode_t CC_HINT(nonnull) process_reply( eap_handler_t *eap_session,
                                         rad_assert(!reply->vps);
                                 }
                                 break;
-                               
+
                         default:
                                 break;
                         }
@@ -1014,7 +1014,7 @@ static PW_CODE eap_fast_eap_payload(REQUEST *request, eap_handler_t *eap_session
          * Call authentication recursively, which will
          * do PAP, CHAP, MS-CHAP, etc.
          */
-       rad_virtual_server(fake);
+       rad_virtual_server(fake, true);
  
         /*
          * Decide what to do with the reply.
diff --git a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c

index 24e7a664f5e871fb3d26c7b52f6603c3e048d7db..3e745bfa21c1f944e5f7252d5f08bb7ebc9cbb65 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_peap/peap.c
+++ b/src/modules/rlm_eap/types/rlm_eap_peap/peap.c
@@ -621,7 +621,7 @@ static int CC_HINT(nonnull) eappeap_postproxy(eap_handler_t *handler, void *data
                 fake->reply = NULL;
  
                 request->proxy->dst_port = 0; /* hacks for state.c lookups */
-               
+
                 /*
                  *      And we're done with this request.
                  */
@@ -836,7 +836,7 @@ rlm_rcode_t eappeap_process(eap_handler_t *handler, tls_session_t *tls_session,
                         fake->server = t->soh_virtual_server;
                 }
                 RDEBUG("Sending SoH request to server %s", fake->server ? fake->server : "NULL");
-               rad_virtual_server(fake);
+               rad_virtual_server(fake, true);
  
                 if (fake->reply->code != PW_CODE_ACCESS_ACCEPT) {
                         RDEBUG2("SoH was rejected");
@@ -1029,7 +1029,7 @@ rlm_rcode_t eappeap_process(eap_handler_t *handler, tls_session_t *tls_session,
          *      Call authentication recursively, which will
          *      do PAP, CHAP, MS-CHAP, etc.
          */
-       rad_virtual_server(fake);
+       rad_virtual_server(fake, true);
  
         /*
          *      Note that we don't do *anything* with the reply
diff --git a/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.c b/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.c

index e85404b846fb9e6d0be46d6ce4d6933ac5a5b668..20646c5ba13d461f02f0f5a2afdfd13f2b0638c1 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.c
+++ b/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.c
@@ -1392,7 +1392,7 @@ static PW_CODE eap_teap_phase2(REQUEST *request, eap_handler_t *eap_session,
          * Call authentication recursively, which will
          * do PAP, CHAP, MS-CHAP, etc.
          */
-       rad_virtual_server(fake);
+       rad_virtual_server(fake, true);
  
         /*
          * Decide what to do with the reply.
diff --git a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c

index 0eaf063421cc52f21103361973cf91f8cc1f18b5..6a0b46dc325025d0a36787a337c1e079d9967ea7 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c
@@ -184,7 +184,7 @@ static int CC_HINT(nonnull) mod_process(void *type_arg, eap_handler_t *handler)
                         }
  
                         RDEBUG2("Validating certificate");
-                       rad_virtual_server(fake);
+                       rad_virtual_server(fake, false);
  
                         /* copy the reply vps back to our reply */
                         fr_pair_list_mcopy_by_num(request->reply, &request->reply->vps,
diff --git a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c

index 4a27fcc63df8d0adb7278c7356d1bc7dc6ba2a52..5fe54d1c3f93352fc76262ea51c397b3a39bd8b5 100644 (file)
--- a/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
+++ b/src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c
@@ -1215,7 +1215,7 @@ int eapttls_process(eap_handler_t *handler, tls_session_t *tls_session)
          *      Call authentication recursively, which will
          *      do PAP, CHAP, MS-CHAP, etc.
          */
-       rad_virtual_server(fake);
+       rad_virtual_server(fake, true);
  
         /*
          *      Decide what to do with the reply.
author	Nick Porter <nick@portercomputing.co.uk>
	Mon, 14 Jul 2025 15:50:02 +0000 (16:50 +0100)
committer	Nick Porter <nick@portercomputing.co.uk>
	Mon, 14 Jul 2025 15:50:32 +0000 (16:50 +0100)
src/include/radiusd.h		patch \| blob \| blame \| history
src/main/auth.c		patch \| blob \| blame \| history
src/main/unittest.c		patch \| blob \| blame \| history
src/modules/rlm_eap/libeap/eap_chbind.c		patch \| blob \| blame \| history
src/modules/rlm_eap/radeapclient.c		patch \| blob \| blame \| history
src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c		patch \| blob \| blame \| history
src/modules/rlm_eap/types/rlm_eap_peap/peap.c		patch \| blob \| blame \| history
src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.c		patch \| blob \| blame \| history
src/modules/rlm_eap/types/rlm_eap_tls/rlm_eap_tls.c		patch \| blob \| blame \| history
src/modules/rlm_eap/types/rlm_eap_ttls/ttls.c		patch \| blob \| blame \| history