From: Arran Cudbard-Bell Date: Thu, 23 Feb 2023 04:12:35 +0000 (-0600) Subject: tacacs: Respect reply.Flags so we can negotiate single connection mode X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a43a772f69971997210abfbf862bca21d283e17;p=thirdparty%2Ffreeradius-server.git tacacs: Respect reply.Flags so we can negotiate single connection mode --- diff --git a/src/protocols/tacacs/encode.c b/src/protocols/tacacs/encode.c index 111cd194958..6e1cbe4e354 100644 --- a/src/protocols/tacacs/encode.c +++ b/src/protocols/tacacs/encode.c @@ -426,12 +426,24 @@ ssize_t fr_tacacs_encode(fr_dbuff_t *dbuff, uint8_t const *original_packet, char /* * Ensure that we send a sane reply to a request. */ - if (original) { - packet->hdr.version = original->version; - packet->hdr.type = original->type; - packet->hdr.flags = original->flags; /* encrypted && single connection */ - packet->hdr.session_id = original->session_id; + { + fr_pair_t const *flags_vp; + /* + * Flags must be mutable so that the server + * can request single connection mode if + * this is configured for the client. + */ + flags_vp = fr_pair_find_by_da_nested(vps, NULL, attr_tacacs_flags); + + if (original) { + packet->hdr.version = original->version; + packet->hdr.type = original->type; + packet->hdr.flags = original->flags; /* encrypted && single connection */ + packet->hdr.session_id = original->session_id; + } + + if (flags_vp) packet->hdr.flags = flags_vp->vp_uint8; } /* diff --git a/src/tests/unit/protocols/tacacs/base.txt b/src/tests/unit/protocols/tacacs/base.txt index 7450b934684..84b7292ae24 100644 --- a/src/tests/unit/protocols/tacacs/base.txt +++ b/src/tests/unit/protocols/tacacs/base.txt @@ -49,6 +49,16 @@ match Packet.Version-Major = Plus, Packet.Version-Minor = 0, Packet.Packet-Type encode-proto - match c0 02 02 00 e1 66 78 e6 00 00 00 13 02 59 f9 90 38 81 e1 bb 9d a6 13 93 fc 86 7e 4a 14 1c 24 +# +# Authorization - Response: (Client <- Server) +# +# Flags = Single-Connect +# +# Regression test - Flags VP not respected +# +encode-proto Packet.Version-Major = Plus, Packet.Version-Minor = 0, Packet.Packet-Type = Authorization, Packet.Sequence-Number = 2, Packet.Flags = Single-Connect, Packet.Session-Id = 3781589222, Packet.Length = 19, Packet-Body-Type = Response, Authorization-Status = Pass-Add, Server-Message = "", Data = 0x, Argument-List = "addr=1.2.3.4" +match c0 02 02 04 e1 66 78 e6 00 00 00 13 02 59 f9 90 38 81 e1 bb 9d a6 13 93 fc 86 7e 4a 14 1c 24 + # # Accounting - Request: (Client -> Server) # @@ -70,4 +80,4 @@ decode-proto c002 20ff 2020 2020 0000 0043 2009 0000 0009 000a 2120 2020 2020 20 match Argument 3 length 32 overflows packet count -match 29 +match 31