From d78e3940d15c003432804f0183c1f40ae84939c7 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Fri, 6 May 2022 10:56:10 +0200
Subject: [PATCH] Allow krad UDP/TCP localhost connection with FIPS

libkrad allows to establish connections only to UNIX socket in FIPS
mode, because MD5 digest is not considered safe enough to be used for
network communication. However, FreeRadius requires connection on TCP or
UDP ports.

This commit allows TCP or UDP connections in FIPS mode if destination is
localhost.

Resolves: rhbz#2068458

Signed-off-by: Julien Rische <jrische@redhat.com>
---
 ...CP-connection-to-localhost-with-FIPS.patch | 82 +++++++++++++++++++
 krb5.spec                                     |  7 +-
 2 files changed, 88 insertions(+), 1 deletion(-)
 create mode 100644 downstream-Allow-krad-TCP-connection-to-localhost-with-FIPS.patch

diff --git a/downstream-Allow-krad-TCP-connection-to-localhost-with-FIPS.patch b/downstream-Allow-krad-TCP-connection-to-localhost-with-FIPS.patch
new file mode 100644
index 0000000..5f4e4ce
--- /dev/null
+++ b/downstream-Allow-krad-TCP-connection-to-localhost-with-FIPS.patch
@@ -0,0 +1,82 @@
+From 790f485cf57e4de65351c29c41666db6370ef367 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Thu, 5 May 2022 17:15:12 +0200
+Subject: [PATCH] Allow krad TCP connection to localhost with FIPS
+
+libkrad allows to establish connections only to UNIX socket in FIPS
+mode, because MD5 digest is not considered safe enough to be used for
+network communication. However, FreeRadius requires connection on TCP or
+UDP ports.
+
+This commit allows TCP or UDP connections in FIPS mode if destination is
+localhost.
+
+Resolves: rhbz#2068458
+---
+ src/lib/krad/remote.c | 36 ++++++++++++++++++++++++++++++++++--
+ 1 file changed, 34 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
+index eca432424..c8912892c 100644
+--- a/src/lib/krad/remote.c
++++ b/src/lib/krad/remote.c
+@@ -33,6 +33,7 @@
+ 
+ #include <string.h>
+ #include <unistd.h>
++#include <stdbool.h>
+ 
+ #include <sys/un.h>
+ 
+@@ -74,6 +75,36 @@ on_io(verto_ctx *ctx, verto_ev *ev);
+ static void
+ on_timeout(verto_ctx *ctx, verto_ev *ev);
+ 
++static in_addr_t get_in_addr(struct addrinfo *info)
++{ return ((struct sockaddr_in *)(info->ai_addr))->sin_addr.s_addr; }
++
++static struct in6_addr *get_in6_addr(struct addrinfo *info)
++{ return &(((struct sockaddr_in6 *)(info->ai_addr))->sin6_addr); }
++
++static bool is_inet_localhost(struct addrinfo *info)
++{
++    struct addrinfo *p;
++
++    for (p = info; p; p = p->ai_next) {
++        switch (p->ai_family) {
++            case AF_INET:
++                if (IN_LOOPBACKNET != (get_in_addr(p) & IN_CLASSA_NET
++                                                      >> IN_CLASSA_NSHIFT))
++                    return false;
++                break;
++            case AF_INET6:
++                if (!IN6_IS_ADDR_LOOPBACK(get_in6_addr(p)))
++                    return false;
++                break;
++            default:
++                return false;
++        }
++    }
++
++    return true;
++}
++
++
+ /* Iterate over the set of outstanding packets. */
+ static const krad_packet *
+ iterator(request **out)
+@@ -455,8 +486,9 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs,
+                                      (krad_packet_iter_cb)iterator, &r, &tmp);
+     if (retval != 0)
+         goto error;
+-    else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL &&
+-        rr->info->ai_family != AF_UNIX) {
++    else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL
++                          && rr->info->ai_family != AF_UNIX
++                          && !is_inet_localhost(rr->info)) {
+         /* This would expose cleartext passwords, so abort. */
+         retval = ESOCKTNOSUPPORT;
+         goto error;
+-- 
+2.35.1
+
diff --git a/krb5.spec b/krb5.spec
index 510db40..a5b6f19 100644
--- a/krb5.spec
+++ b/krb5.spec
@@ -42,7 +42,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.19.1
-Release: %{?zdpd}19%{?dist}
+Release: %{?zdpd}20%{?dist}
 
 # rharwood has trust path to signing key and verifies on check-in
 Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
@@ -94,6 +94,7 @@ Patch29: Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch
 Patch30: downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch
 Patch31: Try-harder-to-avoid-password-change-replay-errors.patch
 Patch32: Add-configure-variable-for-default-PKCS-11-module.patch
+Patch33: downstream-Allow-krad-TCP-connection-to-localhost-with-FIPS.patch
 
 License: MIT
 URL: https://web.mit.edu/kerberos/www/
@@ -651,6 +652,10 @@ exit 0
 %{_libdir}/libkadm5srv_mit.so.*
 
 %changelog
+* Thu May 12 2022 Julien Rische <jrische@redhat.com> - 1.19.1-20
+- Allow libkrad UDP/TCP connection to localhost in FIPS mode
+- Resolves: rhbz#2068458
+
 * Mon May 02 2022 Julien Rische <jrische@redhat.com> - 1.19.1-19
 - Use p11-kit as default PKCS11 module
 - Resolves: rhbz#2030981