From: Nick Porter <nick@portercomputing.co.uk>
Date: Fri, 10 Jan 2025 11:33:14 +0000 (+0000)
Subject: Initial packets from TACACS+ dynamic clients can't be decoded
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=64de8d4c1220a22c7f6a5189f271e6d00cdde8a9;p=thirdparty%2Ffreeradius-server.git

Initial packets from TACACS+ dynamic clients can't be decoded

As we don't know the shared secret yet - so just set a sensible packet
code and skip the decode.
---

diff --git a/src/listen/tacacs/proto_tacacs.c b/src/listen/tacacs/proto_tacacs.c
index 79a73c6ee2a..d6d6816d7a2 100644
--- a/src/listen/tacacs/proto_tacacs.c
+++ b/src/listen/tacacs/proto_tacacs.c
@@ -184,6 +184,32 @@ static int mod_decode(UNUSED void const *instance, request_t *request, uint8_t *
 	request->packet->data = talloc_memdup(request->packet, data, data_len);
 	request->packet->data_len = data_len;
 
+	if (!client->active) {
+		fr_assert(client->dynamic);
+		request_set_dynamic_client(request);
+
+		/*
+		 *	For real packets, the code is extracted during packet decode,
+		 *	however, we can't do that for a fake packet used to set up a
+		 *	dynamic client as we don't have the secret - so set an intelligent
+		 *	packet code.
+		 */
+		switch (request->packet->data[1]) {
+		case FR_TAC_PLUS_AUTHEN:
+			request->packet->code = FR_PACKET_TYPE_VALUE_AUTHENTICATION_START;
+			break;
+		case FR_TAC_PLUS_AUTHOR:
+			request->packet->code = FR_PACKET_TYPE_VALUE_AUTHORIZATION_REQUEST;
+			break;
+		case FR_TAC_PLUS_ACCT:
+			request->packet->code = FR_PACKET_TYPE_VALUE_ACCOUNTING_REQUEST;
+			break;
+		default:
+			return -1;
+		}
+		goto skip_decode;
+	}
+
 	secret = client->secret;
 	if (secret) {
 		if (!packet_is_encrypted((fr_tacacs_packet_t const *) data)) {
@@ -215,6 +241,7 @@ static int mod_decode(UNUSED void const *instance, request_t *request, uint8_t *
 	}
 
 	request->packet->code = code;
+skip_decode:
 
 	/*
 	 *	RFC 8907 Section 3.6 says: