From: Nick Porter <nick@portercomputing.co.uk>
Date: Fri, 1 Sep 2023 14:34:46 +0000 (+0100)
Subject: Handle difference between TACACS and RADIUS MS-CHAP Response formats
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d2039e6abef4b074417b53783003aa5a57778901;p=thirdparty%2Ffreeradius-server.git

Handle difference between TACACS and RADIUS MS-CHAP Response formats
---

diff --git a/src/protocols/tacacs/decode.c b/src/protocols/tacacs/decode.c
index d73395a8415..1cb9ed6c78f 100644
--- a/src/protocols/tacacs/decode.c
+++ b/src/protocols/tacacs/decode.c
@@ -703,9 +703,23 @@ ssize_t fr_tacacs_decode(TALLOC_CTX *ctx, fr_pair_list_t *out, fr_dict_attr_t co
 
 				/*
 				 *	Rework things to make sense.
+				 *	RFC 8079 says that MS-CHAP responses should follow RFC 2433 and 2759
+				 *	which have "Flags" at the end.
+				 *	RADIUS attributes expect "Flags" after the ID as per RFC 2548.
+				 *	Re-arrange to make things consistent.
 				 */
 				hash[0] = p[0];
-				memcpy(hash + 1, p + 1 + challenge_len, want - 1);
+				switch (pkt->authen_start.authen_type) {
+				case FR_AUTHENTICATION_TYPE_VALUE_MSCHAP:
+				case FR_AUTHENTICATION_TYPE_VALUE_MSCHAPV2:
+					hash[1] = p[want - 1];
+					memcpy(hash + 2, p + 1 + challenge_len, want - 2);
+					break;
+
+				default:
+					memcpy(hash + 1, p + 1 + challenge_len, want - 1);
+					break;
+				}
 
 				vp = fr_pair_afrom_da(ctx, da);
 				if (!vp) goto fail;