From: Nick Porter <nick@portercomputing.co.uk>
Date: Tue, 11 Jul 2023 13:52:49 +0000 (+0100)
Subject: Check TACACS authentication type using pair
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2d848ad93572d6e7dbf61554babead8678904d0d;p=thirdparty%2Ffreeradius-server.git

Check TACACS authentication type using pair

The packet available here has an encrypted body - so
packet->authen_start does not point at the bytes that make up the start
of an authentication packet body.
---

diff --git a/src/process/tacacs/base.c b/src/process/tacacs/base.c
index 661a7285154..a6df8fefb26 100644
--- a/src/process/tacacs/base.c
+++ b/src/process/tacacs/base.c
@@ -116,11 +116,13 @@ fr_dict_attr_autoload_t process_tacacs_dict_attr[] = {
 
 static fr_value_box_t const	*enum_auth_type_accept;
 static fr_value_box_t const	*enum_auth_type_reject;
+static fr_value_box_t const	*enum_tacacs_auth_type_ascii;
 
 extern fr_dict_enum_autoload_t process_tacacs_dict_enum[];
 fr_dict_enum_autoload_t process_tacacs_dict_enum[] = {
 	{ .out = &enum_auth_type_accept, .name = "Accept", .attr = &attr_auth_type },
 	{ .out = &enum_auth_type_reject, .name = "Reject", .attr = &attr_auth_type },
+	{ .out = &enum_tacacs_auth_type_ascii, .name = "ASCII", .attr = &attr_tacacs_authentication_type },
 	{ NULL }
 };
 
@@ -559,8 +561,9 @@ RESUME(auth_start)
 			 *	We only do multi-round authentication for the ASCII authentication type.
 			 *	Other authentication types are defined to be one request/reply only.
 			 */
+			vp = fr_pair_find_by_da(&request->request_pairs, NULL, attr_tacacs_authentication_type);
 			if (!packet_is_authen_start_request(packet) ||
-			    (packet->authen_start.authen_type != FR_AUTHENTICATION_TYPE_VALUE_ASCII)) {
+			    (vp && (fr_value_box_cmp(&vp->data, enum_tacacs_auth_type_ascii) != 0))) {
 				goto auth_type;
 			}