From: Alan T. DeKok Date: Tue, 7 Feb 2023 16:15:06 +0000 (-0500) Subject: be less restrictive in the decoder which helps with CI X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=72e694362ecf24346787e20a9f3bd11ae1551635;p=thirdparty%2Ffreeradius-server.git be less restrictive in the decoder which helps with CI --- diff --git a/src/listen/tacacs/proto_tacacs.c b/src/listen/tacacs/proto_tacacs.c index 93579d836d0..51c0306c94d 100644 --- a/src/listen/tacacs/proto_tacacs.c +++ b/src/listen/tacacs/proto_tacacs.c @@ -207,7 +207,13 @@ static int mod_decode(void const *instance, request_t *request, uint8_t *const d request->packet->data_len = data_len; secret = client->secret; - if (secret) secretlen = talloc_array_length(client->secret) - 1; + if (secret) { + if (!packet_is_encrypted((fr_tacacs_packet_t const *) data)) { + REDEBUG("Expected to see encrypted packet, got unencrypted packet!"); + return -1; + } + secretlen = talloc_array_length(client->secret) - 1; + } /* * Note that we don't set a limit on max_attributes here. diff --git a/src/protocols/tacacs/decode.c b/src/protocols/tacacs/decode.c index f7344ff7c53..dcf18839bfc 100644 --- a/src/protocols/tacacs/decode.c +++ b/src/protocols/tacacs/decode.c @@ -425,11 +425,6 @@ ssize_t fr_tacacs_decode(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t const *bu return -1; } - if (secret && !packet_is_encrypted(pkt)) { - fr_strerror_const("Packet is clear-text but we expected it to be encrypted"); - return -1; - } - /* * Call the struct encoder to do the actual work. */ @@ -443,7 +438,7 @@ ssize_t fr_tacacs_decode(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t const *bu * * If there's a secret, we alway decrypt the packets. */ - if (secret) { + if (secret && packet_is_encrypted(pkt)) { size_t length; if (!secret_len) {