be less restrictive in the decoder which helps with CI

diff --git a/src/listen/tacacs/proto_tacacs.c b/src/listen/tacacs/proto_tacacs.c
index 93579d836d02994290c1182cc750e8f025101fe7..51c0306c94d7f332d75714958685d873748295d3 100644 (file)
--- a/src/listen/tacacs/proto_tacacs.c
+++ b/src/listen/tacacs/proto_tacacs.c
@@ -207,7 +207,13 @@ static int mod_decode(void const *instance, request_t *request, uint8_t *const d
        request->packet->data_len = data_len;
 
        secret = client->secret;
-       if (secret) secretlen = talloc_array_length(client->secret) - 1;
+       if (secret) {
+               if (!packet_is_encrypted((fr_tacacs_packet_t const *) data)) {
+                       REDEBUG("Expected to see encrypted packet, got unencrypted packet!");
+                       return -1;
+               }
+               secretlen = talloc_array_length(client->secret) - 1;
+       }
 
        /*
         *      Note that we don't set a limit on max_attributes here.

diff --git a/src/protocols/tacacs/decode.c b/src/protocols/tacacs/decode.c
index f7344ff7c5340cc4e996a03ee465eeda012e276b..dcf18839bfc12403cb3c31321b35f6ac053f6101 100644 (file)
--- a/src/protocols/tacacs/decode.c
+++ b/src/protocols/tacacs/decode.c
@@ -425,11 +425,6 @@ ssize_t fr_tacacs_decode(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t const *bu
                return -1;
        }
 
-       if (secret && !packet_is_encrypted(pkt)) {
-               fr_strerror_const("Packet is clear-text but we expected it to be encrypted");
-               return -1;
-       }
-
        /*
         *      Call the struct encoder to do the actual work.
         */
@@ -443,7 +438,7 @@ ssize_t fr_tacacs_decode(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t const *bu
         *
         *      If there's a secret, we alway decrypt the packets.
         */
-       if (secret) {
+       if (secret && packet_is_encrypted(pkt)) {
                size_t length;
 
                if (!secret_len) {