From: Alan T. DeKok Date: Thu, 7 Sep 2023 19:19:58 +0000 (-0400) Subject: allow tacacs to encode nested attributes X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=34e0c016c2cdb0ea553ad3513ffbe37594d5f633;p=thirdparty%2Ffreeradius-server.git allow tacacs to encode nested attributes --- diff --git a/src/protocols/tacacs/encode.c b/src/protocols/tacacs/encode.c index 7db8b364f29..82bec2b5345 100644 --- a/src/protocols/tacacs/encode.c +++ b/src/protocols/tacacs/encode.c @@ -142,6 +142,8 @@ static uint8_t tacacs_encode_body_arg_cnt(fr_pair_list_t *vps, fr_dict_attr_t co if (vp->da->flags.internal) continue; + if (vp->da == attr_tacacs_packet) continue; + /* * Argument-List = "foo=bar" */ @@ -193,6 +195,8 @@ static ssize_t tacacs_encode_body_arg_n(fr_dbuff_t *dbuff, uint8_t arg_cnt, uint if (vp->da->flags.internal) continue; + if (vp->da == attr_tacacs_packet) continue; + /* * Argument-List = "foo=bar" */ @@ -995,7 +999,8 @@ ssize_t fr_tacacs_encode(fr_dbuff_t *dbuff, uint8_t const *original_packet, char } #ifndef NDEBUG - if (fr_debug_lvl >= L_DBG_LVL_4) { +// if (fr_debug_lvl >= L_DBG_LVL_4) { + if (1) { uint8_t flags = packet->hdr.flags; packet->hdr.flags |= FR_TAC_PLUS_UNENCRYPTED_FLAG; diff --git a/src/tests/unit/protocols/tacacs/base.txt b/src/tests/unit/protocols/tacacs/base.txt index c6316ce9395..445e3d76697 100644 --- a/src/tests/unit/protocols/tacacs/base.txt +++ b/src/tests/unit/protocols/tacacs/base.txt @@ -6,8 +6,6 @@ proto tacacs proto-dictionary tacacs fuzzer-out tacacs -migrate pair_legacy_nested = false - # ./pam_tacplus/tacc -TRA -u bob -p hello -s 172.17.0.2 -r 1.1.1.1 -k testing123 -S ppp -P ip -L pap # N.B. decrypted and unencrypted flag has been set @@ -33,6 +31,12 @@ match Packet.Version-Major = Plus, Packet.Version-Minor = 1, Packet.Packet-Type encode-proto - match c1 01 02 01 b7 0f c8 0e 00 00 00 06 01 00 00 00 00 00 +pair Packet.Version-Major = Plus, Packet.Version-Minor = 0, Packet.Packet-Type = Authorization, Packet.Sequence-Number = 1, Packet.Flags = None, Packet.Session-Id = 3781589222, Packet.Length = 53, Packet-Body-Type = Request, Authentication-Method = TACACSPLUS, Privilege-Level = Minimum, Authentication-Type = PAP, Authentication-Service = PPP, User-Name = "bob", Client-Port = "tapioca/0", Remote-Address = "localhost", service = "ppp", protocol = "ip" +match Packet = { Version-Major = Plus, Version-Minor = 0, Packet-Type = Authorization, Sequence-Number = 1, Flags = None, Session-Id = 3781589222, Length = 53 }, Packet-Body-Type = Request, Authentication-Method = TACACSPLUS, Privilege-Level = Minimum, Authentication-Type = PAP, Authentication-Service = PPP, User-Name = "bob", Client-Port = "tapioca/0", Remote-Address = "localhost", service = "ppp", protocol = "ip" + +encode-proto - +match c0 02 01 01 e1 66 78 e6 00 00 00 35 06 00 02 03 03 09 09 02 0b 0b 62 6f 62 74 61 70 69 6f 63 61 2f 30 6c 6f 63 61 6c 68 6f 73 74 73 65 72 76 69 63 65 3d 70 70 70 70 72 6f 74 6f 63 6f 6c 3d 69 70 + # # Authorization - Request: (Client -> Server) # @@ -72,4 +76,4 @@ decode-proto c002 20ff 2020 2020 0000 0043 2009 0000 0009 000a 2120 2020 2020 20 match Argument 3 length 32 overflows packet count -match 30 +match 33 diff --git a/src/tests/unit/protocols/tacacs/regression.txt b/src/tests/unit/protocols/tacacs/regression.txt index ab2b706f16e..8d580288c82 100644 --- a/src/tests/unit/protocols/tacacs/regression.txt +++ b/src/tests/unit/protocols/tacacs/regression.txt @@ -6,8 +6,6 @@ proto tacacs proto-dictionary tacacs fuzzer-out tacacs -migrate pair_legacy_nested = false - # # Authorization - Response: (Client <- Server) # @@ -19,4 +17,4 @@ encode-proto Packet.Version-Major = Plus, Packet.Version-Minor = 0, Packet.Packe match c0 02 02 05 e1 66 78 e6 00 00 00 13 01 01 00 00 00 00 0c 61 64 64 72 3d 31 2e 32 2e 33 2e 34 count -match 6 +match 5