Allow use of larger RADIUS attributes in krad library

In kr_attrset_decode(), explicitly treat the length byte as unsigned.
    Otherwise attributes longer than 125 characters will be rejected with
    EBADMSG.

    Add a 253-character-long NAS-Identifier attribute to the tests to make
    sure that attributes with the maximal number of characters are working
    as expected.

    [ghudson@mit.edu: used uint8_t cast per current practices; edited
    commit message]

    ticket: 9036 (new)

From upstream, needed in preparation for OAuth2 support for FreeIPA and
SSSD.

Resolves: rhbz#2100351

Signed-off-by: Julien Rische <jrische@redhat.com>

krb5-krad-larger-attrs.patch

@@ -0,0 +1,69 @@
+From 0ac0fd2d349e4d5ef7379182f4d7ce480edd8d2b Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 8 Nov 2021 17:48:50 +0100
+Subject: [PATCH 2/2] Support larger RADIUS attributes in libkrad
+
+In kr_attrset_decode(), explicitly treat the length byte as unsigned.
+Otherwise attributes longer than 125 characters will be rejected with
+EBADMSG.
+
+Add a 253-character-long NAS-Identifier attribute to the tests to make
+sure that attributes with the maximal number of characters are working
+as expected.
+
+[ghudson@mit.edu: used uint8_t cast per current practices; edited
+commit message]
+
+ticket: 9036 (new)
+---
+ src/lib/krad/attrset.c  |  2 +-
+ src/lib/krad/t_packet.c | 13 +++++++++++++
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/krad/attrset.c b/src/lib/krad/attrset.c
+index d89982a13..6ec031e32 100644
+--- a/src/lib/krad/attrset.c
++++ b/src/lib/krad/attrset.c
+@@ -218,7 +218,7 @@ kr_attrset_decode(krb5_context ctx, const krb5_data *in, const char *secret,
+ 
+     for (i = 0; i + 2 < in->length; ) {
+         type = in->data[i++];
+-        tmp = make_data(&in->data[i + 1], in->data[i] - 2);
++        tmp = make_data(&in->data[i + 1], (uint8_t)in->data[i] - 2);
+         i += tmp.length + 1;
+ 
+         retval = (in->length < i) ? EBADMSG : 0;
+diff --git a/src/lib/krad/t_packet.c b/src/lib/krad/t_packet.c
+index 0a92e9cc2..c22489144 100644
+--- a/src/lib/krad/t_packet.c
++++ b/src/lib/krad/t_packet.c
+@@ -57,6 +57,14 @@ make_packet(krb5_context ctx, const krb5_data *username,
+     krb5_error_code retval;
+     const krb5_data *data;
+     int i = 0;
++    krb5_data nas_id;
++
++    nas_id = string2data("12345678901234567890123456789012345678901234567890"
++                         "12345678901234567890123456789012345678901234567890"
++                         "12345678901234567890123456789012345678901234567890"
++                         "12345678901234567890123456789012345678901234567890"
++                         "12345678901234567890123456789012345678901234567890"
++                         "123");
+ 
+     retval = krad_attrset_new(ctx, &set);
+     if (retval != 0)
+@@ -71,6 +79,11 @@ make_packet(krb5_context ctx, const krb5_data *username,
+     if (retval != 0)
+         goto out;
+ 
++    retval = krad_attrset_add(set, krad_attr_name2num("NAS-Identifier"),
++                              &nas_id);
++    if (retval != 0)
++        goto out;
++
+     retval = krad_packet_new_request(ctx, "foo",
+                                      krad_code_name2num("Access-Request"),
+                                      set, iterator, &i, &tmp);
+-- 
+2.35.3
+

krb5.spec

@@ -96,6 +96,7 @@ Patch31: Try-harder-to-avoid-password-change-replay-errors.patch
 Patch32: Add-configure-variable-for-default-PKCS-11-module.patch
 Patch33: downstream-Allow-krad-UDP-TCP-localhost-connection-with-FIPS.patch
 Patch34: krb5-krad-remote.patch
+Patch35: krb5-krad-larger-attrs.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@@ -655,6 +656,7 @@ exit 0
 %changelog
 * Thu Jun 23 2022 Julien Rische <jrische@redhat.com> - 1.19.1-21
 - Fix libkrad client cleanup
+- Allow use of larger RADIUS attributes in krad library
 - Resolves: rhbz#2100351
 
 * Thu May 12 2022 Julien Rische <jrische@redhat.com> - 1.19.1-20