From: Nick Porter <nick@portercomputing.co.uk>
Date: Wed, 13 Nov 2024 14:26:27 +0000 (+0000)
Subject: Only reject nested TLS if the eap method is TLS
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ba0b12e08f2877d022085dbcc8ffe310dcb3485c;p=thirdparty%2Ffreeradius-server.git

Only reject nested TLS if the eap method is TLS

Nested requests are used for PEAP now, so you do get
request->parent->parent when processing the inner tunnel.
---

diff --git a/src/modules/rlm_eap/rlm_eap.c b/src/modules/rlm_eap/rlm_eap.c
index f68982e8e89..96e0a6ea4b7 100644
--- a/src/modules/rlm_eap/rlm_eap.c
+++ b/src/modules/rlm_eap/rlm_eap.c
@@ -606,7 +606,7 @@ static unlang_action_t eap_method_select(rlm_rcode_t *p_result, module_ctx_t con
 	 *	parent.  If the outer session exists, and doesn't have
 	 *	a home server, then it's multiple layers of tunneling.
 	 */
-	if (eap_session->request->parent &&
+	if (type->num == FR_EAP_METHOD_TLS && eap_session->request->parent &&
 	    eap_session->request->parent->parent) {
 		RERROR("Multiple levels of TLS nesting are invalid");
 		goto is_invalid;