diff --git a/downstream-Allow-krad-TCP-connection-to-localhost-with-FIPS.patch b/downstream-Allow-krad-TCP-connection-to-localhost-with-FIPS.patch new file mode 100644 index 0000000..5f4e4ce --- /dev/null +++ b/downstream-Allow-krad-TCP-connection-to-localhost-with-FIPS.patch @@ -0,0 +1,82 @@ +From 790f485cf57e4de65351c29c41666db6370ef367 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Thu, 5 May 2022 17:15:12 +0200 +Subject: [PATCH] Allow krad TCP connection to localhost with FIPS + +libkrad allows to establish connections only to UNIX socket in FIPS +mode, because MD5 digest is not considered safe enough to be used for +network communication. However, FreeRadius requires connection on TCP or +UDP ports. + +This commit allows TCP or UDP connections in FIPS mode if destination is +localhost. + +Resolves: rhbz#2068458 +--- + src/lib/krad/remote.c | 36 ++++++++++++++++++++++++++++++++++-- + 1 file changed, 34 insertions(+), 2 deletions(-) + +diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c +index eca432424..c8912892c 100644 +--- a/src/lib/krad/remote.c ++++ b/src/lib/krad/remote.c +@@ -33,6 +33,7 @@ + + #include + #include ++#include + + #include + +@@ -74,6 +75,36 @@ on_io(verto_ctx *ctx, verto_ev *ev); + static void + on_timeout(verto_ctx *ctx, verto_ev *ev); + ++static in_addr_t get_in_addr(struct addrinfo *info) ++{ return ((struct sockaddr_in *)(info->ai_addr))->sin_addr.s_addr; } ++ ++static struct in6_addr *get_in6_addr(struct addrinfo *info) ++{ return &(((struct sockaddr_in6 *)(info->ai_addr))->sin6_addr); } ++ ++static bool is_inet_localhost(struct addrinfo *info) ++{ ++ struct addrinfo *p; ++ ++ for (p = info; p; p = p->ai_next) { ++ switch (p->ai_family) { ++ case AF_INET: ++ if (IN_LOOPBACKNET != (get_in_addr(p) & IN_CLASSA_NET ++ >> IN_CLASSA_NSHIFT)) ++ return false; ++ break; ++ case AF_INET6: ++ if (!IN6_IS_ADDR_LOOPBACK(get_in6_addr(p))) ++ return false; ++ break; ++ default: ++ return false; ++ } ++ } ++ ++ return true; ++} ++ ++ + /* Iterate over the set of outstanding packets. */ + static const krad_packet * + iterator(request **out) +@@ -455,8 +486,9 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs, + (krad_packet_iter_cb)iterator, &r, &tmp); + if (retval != 0) + goto error; +- else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL && +- rr->info->ai_family != AF_UNIX) { ++ else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL ++ && rr->info->ai_family != AF_UNIX ++ && !is_inet_localhost(rr->info)) { + /* This would expose cleartext passwords, so abort. */ + retval = ESOCKTNOSUPPORT; + goto error; +-- +2.35.1 + diff --git a/krb5.spec b/krb5.spec index 510db40..a5b6f19 100644 --- a/krb5.spec +++ b/krb5.spec @@ -42,7 +42,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.19.1 -Release: %{?zdpd}19%{?dist} +Release: %{?zdpd}20%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz @@ -94,6 +94,7 @@ Patch29: Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch Patch30: downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch Patch31: Try-harder-to-avoid-password-change-replay-errors.patch Patch32: Add-configure-variable-for-default-PKCS-11-module.patch +Patch33: downstream-Allow-krad-TCP-connection-to-localhost-with-FIPS.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -651,6 +652,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Thu May 12 2022 Julien Rische - 1.19.1-20 +- Allow libkrad UDP/TCP connection to localhost in FIPS mode +- Resolves: rhbz#2068458 + * Mon May 02 2022 Julien Rische - 1.19.1-19 - Use p11-kit as default PKCS11 module - Resolves: rhbz#2030981