From 12a2cf4a6f885481ec0a9237e7febb89ddb4991a Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Sat, 18 Nov 2023 08:57:55 -0500
Subject: [PATCH] allow for password longer than 128 characters

and update aruba dictionary for encrypted attribute
---
 share/dictionary.aruba    |  2 +-
 src/lib/radius.c          | 15 ++++-----------
 src/tests/unit/vendor.txt |  6 ++++++
 3 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/share/dictionary.aruba b/share/dictionary.aruba
index c2373ed64e2..26bd82a50f1 100644
--- a/share/dictionary.aruba
+++ b/share/dictionary.aruba
@@ -82,7 +82,7 @@ ATTRIBUTE	Aruba-Device-Traffic-Class		63	integer
 
 ATTRIBUTE	Aruba-PVLAN-Port-Type			64	integer
 ATTRIBUTE	Aruba-Network-Test			65	integer
-ATTRIBUTE	Aruba-MPSK-Lookup-Info			66	string
+ATTRIBUTE	Aruba-MPSK-Lookup-Info			66	string encrypt=1
 ATTRIBUTE	Aruba-AVPair				67	string
 ATTRIBUTE	Aruba-DPP-Service-Type			68	integer
 
diff --git a/src/lib/radius.c b/src/lib/radius.c
index 6aec0f04233..7ff5bd1406c 100644
--- a/src/lib/radius.c
+++ b/src/lib/radius.c
@@ -536,7 +536,7 @@ static void make_secret(uint8_t *digest, uint8_t const *vector,
 	fr_md5_destroy(&context);
 }
 
-#define MAX_PASS_LEN (128)
+#define MAX_PASS_LEN (256)
 static void make_passwd(uint8_t *output, ssize_t *outlen,
 			uint8_t const *input, size_t inlen,
 			char const *secret, uint8_t const *vector)
@@ -3938,7 +3938,7 @@ ssize_t data2vp(TALLOC_CTX *ctx,
 	VALUE_PAIR *vp;
 	uint8_t const *data = start;
 	char *p;
-	uint8_t buffer[256];
+	uint8_t buffer[MAX_PASS_LEN];
 
 	/*
 	 *	FIXME: Attrlen can be larger than 253 for extended attrs!
@@ -4054,7 +4054,7 @@ ssize_t data2vp(TALLOC_CTX *ctx,
 					     attrlen, secret,
 					     packet->vector);
 			}
-			buffer[253] = '\0';
+			buffer[attrlen] = '\0';
 
 			/*
 			 *	MS-CHAP-MPPE-Keys are 24 octets, and
@@ -4761,7 +4761,7 @@ int rad_pwencode(char *passwd, size_t *pwlen, char const *secret,
 	 */
 	len = *pwlen;
 
-	if (len > 128) len = 128;
+	if (len > MAX_STRING_LEN) len = MAX_STRING_LEN;
 
 	if (len == 0) {
 		memset(passwd, 0, AUTH_PASS_LEN);
@@ -4820,13 +4820,6 @@ int rad_pwdecode(char *passwd, size_t pwlen, char const *secret,
 	int	i;
 	size_t	n, secretlen;
 
-	/*
-	 *	The RFC's say that the maximum is 128.
-	 *	The buffer we're putting it into above is 254, so
-	 *	we don't need to do any length checking.
-	 */
-	if (pwlen > 128) pwlen = 128;
-
 	/*
 	 *	Catch idiots.
 	 */
diff --git a/src/tests/unit/vendor.txt b/src/tests/unit/vendor.txt
index 1325f49bd8b..088bd1b551e 100644
--- a/src/tests/unit/vendor.txt
+++ b/src/tests/unit/vendor.txt
@@ -46,3 +46,9 @@ original null
 encode ERX-LI-Action = off
 decode -
 data ERX-LI-Action = off
+
+encode Aruba-MPSK-Lookup-Info = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+data 1a c8 00 00 39 e7 42 c2 c5 6f 16 e5 de 2d 2a 2d d3 0e ac 92 12 c5 97 af 8e 08 f0 92 b4 45 4d 24 5d 73 16 a8 5a cd 78 0a f2 5e 7f e5 e1 fe 95 79 ee 2e 5b 0e ac bf fd 8c 15 da 9c 59 1d 53 5b 76 49 e9 71 4d d7 00 1c 04 65 51 cb 35 66 81 36 0d 25 ab 23 3b 67 5a 30 f8 0d 66 2b bf 97 f5 18 03 34 79 7a 22 11 c1 02 78 94 b0 26 62 13 4a c1 9c 77 6f b8 7c 29 ee 8b 61 14 de 90 b6 94 3f d0 01 00 57 6d 48 2a 59 f3 d4 57 d2 04 af 4e 64 0b 11 31 9e 63 49 f3 fa 61 4d c9 38 88 d1 89 3f 2a 10 d3 8f a0 5d 46 5f 0a b1 2f 9a 70 fa 35 79 c7 a6 68 69 28 98 49 d5 7a 29 9d dc 3d 2f 43 52 f5 12 b3 bf 61 80 2e 7a 3a 0c
+
+decode -
+data Aruba-MPSK-Lookup-Info = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
-- 
2.47.3