Allow use of larger RADIUS attributes in krad library
In kr_attrset_decode(), explicitly treat the length byte as unsigned. Otherwise attributes longer than 125 characters will be rejected with EBADMSG. Add a 253-character-long NAS-Identifier attribute to the tests to make sure that attributes with the maximal number of characters are working as expected. [ghudson@mit.edu: used uint8_t cast per current practices; edited commit message] ticket: 9036 (new) From upstream, needed in preparation for OAuth2 support for FreeIPA and SSSD. Resolves: rhbz#2100351 Signed-off-by: Julien Rische <jrische@redhat.com>
This commit is contained in:
parent
5fafe74f37
commit
08803b1c46
69
krb5-krad-larger-attrs.patch
Normal file
69
krb5-krad-larger-attrs.patch
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
From 0ac0fd2d349e4d5ef7379182f4d7ce480edd8d2b Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sumit Bose <sbose@redhat.com>
|
||||||
|
Date: Mon, 8 Nov 2021 17:48:50 +0100
|
||||||
|
Subject: [PATCH 2/2] Support larger RADIUS attributes in libkrad
|
||||||
|
|
||||||
|
In kr_attrset_decode(), explicitly treat the length byte as unsigned.
|
||||||
|
Otherwise attributes longer than 125 characters will be rejected with
|
||||||
|
EBADMSG.
|
||||||
|
|
||||||
|
Add a 253-character-long NAS-Identifier attribute to the tests to make
|
||||||
|
sure that attributes with the maximal number of characters are working
|
||||||
|
as expected.
|
||||||
|
|
||||||
|
[ghudson@mit.edu: used uint8_t cast per current practices; edited
|
||||||
|
commit message]
|
||||||
|
|
||||||
|
ticket: 9036 (new)
|
||||||
|
---
|
||||||
|
src/lib/krad/attrset.c | 2 +-
|
||||||
|
src/lib/krad/t_packet.c | 13 +++++++++++++
|
||||||
|
2 files changed, 14 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/krad/attrset.c b/src/lib/krad/attrset.c
|
||||||
|
index d89982a13..6ec031e32 100644
|
||||||
|
--- a/src/lib/krad/attrset.c
|
||||||
|
+++ b/src/lib/krad/attrset.c
|
||||||
|
@@ -218,7 +218,7 @@ kr_attrset_decode(krb5_context ctx, const krb5_data *in, const char *secret,
|
||||||
|
|
||||||
|
for (i = 0; i + 2 < in->length; ) {
|
||||||
|
type = in->data[i++];
|
||||||
|
- tmp = make_data(&in->data[i + 1], in->data[i] - 2);
|
||||||
|
+ tmp = make_data(&in->data[i + 1], (uint8_t)in->data[i] - 2);
|
||||||
|
i += tmp.length + 1;
|
||||||
|
|
||||||
|
retval = (in->length < i) ? EBADMSG : 0;
|
||||||
|
diff --git a/src/lib/krad/t_packet.c b/src/lib/krad/t_packet.c
|
||||||
|
index 0a92e9cc2..c22489144 100644
|
||||||
|
--- a/src/lib/krad/t_packet.c
|
||||||
|
+++ b/src/lib/krad/t_packet.c
|
||||||
|
@@ -57,6 +57,14 @@ make_packet(krb5_context ctx, const krb5_data *username,
|
||||||
|
krb5_error_code retval;
|
||||||
|
const krb5_data *data;
|
||||||
|
int i = 0;
|
||||||
|
+ krb5_data nas_id;
|
||||||
|
+
|
||||||
|
+ nas_id = string2data("12345678901234567890123456789012345678901234567890"
|
||||||
|
+ "12345678901234567890123456789012345678901234567890"
|
||||||
|
+ "12345678901234567890123456789012345678901234567890"
|
||||||
|
+ "12345678901234567890123456789012345678901234567890"
|
||||||
|
+ "12345678901234567890123456789012345678901234567890"
|
||||||
|
+ "123");
|
||||||
|
|
||||||
|
retval = krad_attrset_new(ctx, &set);
|
||||||
|
if (retval != 0)
|
||||||
|
@@ -71,6 +79,11 @@ make_packet(krb5_context ctx, const krb5_data *username,
|
||||||
|
if (retval != 0)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
+ retval = krad_attrset_add(set, krad_attr_name2num("NAS-Identifier"),
|
||||||
|
+ &nas_id);
|
||||||
|
+ if (retval != 0)
|
||||||
|
+ goto out;
|
||||||
|
+
|
||||||
|
retval = krad_packet_new_request(ctx, "foo",
|
||||||
|
krad_code_name2num("Access-Request"),
|
||||||
|
set, iterator, &i, &tmp);
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
@ -96,6 +96,7 @@ Patch31: Try-harder-to-avoid-password-change-replay-errors.patch
|
|||||||
Patch32: Add-configure-variable-for-default-PKCS-11-module.patch
|
Patch32: Add-configure-variable-for-default-PKCS-11-module.patch
|
||||||
Patch33: downstream-Allow-krad-UDP-TCP-localhost-connection-with-FIPS.patch
|
Patch33: downstream-Allow-krad-UDP-TCP-localhost-connection-with-FIPS.patch
|
||||||
Patch34: krb5-krad-remote.patch
|
Patch34: krb5-krad-remote.patch
|
||||||
|
Patch35: krb5-krad-larger-attrs.patch
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: https://web.mit.edu/kerberos/www/
|
URL: https://web.mit.edu/kerberos/www/
|
||||||
@ -655,6 +656,7 @@ exit 0
|
|||||||
%changelog
|
%changelog
|
||||||
* Thu Jun 23 2022 Julien Rische <jrische@redhat.com> - 1.19.1-21
|
* Thu Jun 23 2022 Julien Rische <jrische@redhat.com> - 1.19.1-21
|
||||||
- Fix libkrad client cleanup
|
- Fix libkrad client cleanup
|
||||||
|
- Allow use of larger RADIUS attributes in krad library
|
||||||
- Resolves: rhbz#2100351
|
- Resolves: rhbz#2100351
|
||||||
|
|
||||||
* Thu May 12 2022 Julien Rische <jrische@redhat.com> - 1.19.1-20
|
* Thu May 12 2022 Julien Rische <jrische@redhat.com> - 1.19.1-20
|
||||||
|
Loading…
Reference in New Issue
Block a user