Allow krad UDP/TCP localhost connection with FIPS
libkrad allows to establish connections only to UNIX socket in FIPS mode, because MD5 digest is not considered safe enough to be used for network communication. However, FreeRadius requires connection on TCP or UDP ports. This commit allows TCP or UDP connections in FIPS mode if destination is localhost. Resolves: rhbz#2068458 Signed-off-by: Julien Rische <jrische@redhat.com>
This commit is contained in:
parent
99ca133dd0
commit
d78e3940d1
@ -0,0 +1,82 @@
|
|||||||
|
From 790f485cf57e4de65351c29c41666db6370ef367 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Julien Rische <jrische@redhat.com>
|
||||||
|
Date: Thu, 5 May 2022 17:15:12 +0200
|
||||||
|
Subject: [PATCH] Allow krad TCP connection to localhost with FIPS
|
||||||
|
|
||||||
|
libkrad allows to establish connections only to UNIX socket in FIPS
|
||||||
|
mode, because MD5 digest is not considered safe enough to be used for
|
||||||
|
network communication. However, FreeRadius requires connection on TCP or
|
||||||
|
UDP ports.
|
||||||
|
|
||||||
|
This commit allows TCP or UDP connections in FIPS mode if destination is
|
||||||
|
localhost.
|
||||||
|
|
||||||
|
Resolves: rhbz#2068458
|
||||||
|
---
|
||||||
|
src/lib/krad/remote.c | 36 ++++++++++++++++++++++++++++++++++--
|
||||||
|
1 file changed, 34 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
|
||||||
|
index eca432424..c8912892c 100644
|
||||||
|
--- a/src/lib/krad/remote.c
|
||||||
|
+++ b/src/lib/krad/remote.c
|
||||||
|
@@ -33,6 +33,7 @@
|
||||||
|
|
||||||
|
#include <string.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
+#include <stdbool.h>
|
||||||
|
|
||||||
|
#include <sys/un.h>
|
||||||
|
|
||||||
|
@@ -74,6 +75,36 @@ on_io(verto_ctx *ctx, verto_ev *ev);
|
||||||
|
static void
|
||||||
|
on_timeout(verto_ctx *ctx, verto_ev *ev);
|
||||||
|
|
||||||
|
+static in_addr_t get_in_addr(struct addrinfo *info)
|
||||||
|
+{ return ((struct sockaddr_in *)(info->ai_addr))->sin_addr.s_addr; }
|
||||||
|
+
|
||||||
|
+static struct in6_addr *get_in6_addr(struct addrinfo *info)
|
||||||
|
+{ return &(((struct sockaddr_in6 *)(info->ai_addr))->sin6_addr); }
|
||||||
|
+
|
||||||
|
+static bool is_inet_localhost(struct addrinfo *info)
|
||||||
|
+{
|
||||||
|
+ struct addrinfo *p;
|
||||||
|
+
|
||||||
|
+ for (p = info; p; p = p->ai_next) {
|
||||||
|
+ switch (p->ai_family) {
|
||||||
|
+ case AF_INET:
|
||||||
|
+ if (IN_LOOPBACKNET != (get_in_addr(p) & IN_CLASSA_NET
|
||||||
|
+ >> IN_CLASSA_NSHIFT))
|
||||||
|
+ return false;
|
||||||
|
+ break;
|
||||||
|
+ case AF_INET6:
|
||||||
|
+ if (!IN6_IS_ADDR_LOOPBACK(get_in6_addr(p)))
|
||||||
|
+ return false;
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return true;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
/* Iterate over the set of outstanding packets. */
|
||||||
|
static const krad_packet *
|
||||||
|
iterator(request **out)
|
||||||
|
@@ -455,8 +486,9 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs,
|
||||||
|
(krad_packet_iter_cb)iterator, &r, &tmp);
|
||||||
|
if (retval != 0)
|
||||||
|
goto error;
|
||||||
|
- else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL &&
|
||||||
|
- rr->info->ai_family != AF_UNIX) {
|
||||||
|
+ else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL
|
||||||
|
+ && rr->info->ai_family != AF_UNIX
|
||||||
|
+ && !is_inet_localhost(rr->info)) {
|
||||||
|
/* This would expose cleartext passwords, so abort. */
|
||||||
|
retval = ESOCKTNOSUPPORT;
|
||||||
|
goto error;
|
||||||
|
--
|
||||||
|
2.35.1
|
||||||
|
|
@ -42,7 +42,7 @@
|
|||||||
Summary: The Kerberos network authentication system
|
Summary: The Kerberos network authentication system
|
||||||
Name: krb5
|
Name: krb5
|
||||||
Version: 1.19.1
|
Version: 1.19.1
|
||||||
Release: %{?zdpd}19%{?dist}
|
Release: %{?zdpd}20%{?dist}
|
||||||
|
|
||||||
# rharwood has trust path to signing key and verifies on check-in
|
# rharwood has trust path to signing key and verifies on check-in
|
||||||
Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
|
Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
|
||||||
@ -94,6 +94,7 @@ Patch29: Use-SHA256-instead-of-SHA1-for-PKINIT-CMS-digest.patch
|
|||||||
Patch30: downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch
|
Patch30: downstream-Use-newly-enforced-dejagnu-path-naming-convention.patch
|
||||||
Patch31: Try-harder-to-avoid-password-change-replay-errors.patch
|
Patch31: Try-harder-to-avoid-password-change-replay-errors.patch
|
||||||
Patch32: Add-configure-variable-for-default-PKCS-11-module.patch
|
Patch32: Add-configure-variable-for-default-PKCS-11-module.patch
|
||||||
|
Patch33: downstream-Allow-krad-TCP-connection-to-localhost-with-FIPS.patch
|
||||||
|
|
||||||
License: MIT
|
License: MIT
|
||||||
URL: https://web.mit.edu/kerberos/www/
|
URL: https://web.mit.edu/kerberos/www/
|
||||||
@ -651,6 +652,10 @@ exit 0
|
|||||||
%{_libdir}/libkadm5srv_mit.so.*
|
%{_libdir}/libkadm5srv_mit.so.*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu May 12 2022 Julien Rische <jrische@redhat.com> - 1.19.1-20
|
||||||
|
- Allow libkrad UDP/TCP connection to localhost in FIPS mode
|
||||||
|
- Resolves: rhbz#2068458
|
||||||
|
|
||||||
* Mon May 02 2022 Julien Rische <jrische@redhat.com> - 1.19.1-19
|
* Mon May 02 2022 Julien Rische <jrische@redhat.com> - 1.19.1-19
|
||||||
- Use p11-kit as default PKCS11 module
|
- Use p11-kit as default PKCS11 module
|
||||||
- Resolves: rhbz#2030981
|
- Resolves: rhbz#2030981
|
||||||
|
Loading…
Reference in New Issue
Block a user