Allow krad UDP/TCP localhost connection with FIPS

libkrad allows to establish connections only to UNIX socket in FIPS
mode, because MD5 digest is not considered safe enough to be used for
network communication. However, FreeRadius requires connection on TCP or
UDP ports.

This commit allows TCP or UDP connections in FIPS mode if destination is
localhost.

Resolves: rhbz#2082189

Signed-off-by: Julien Rische <jrische@redhat.com>
This commit is contained in:
Julien Rische 2022-05-10 16:43:18 +02:00
parent c25a51c969
commit e9188f0caa
2 changed files with 87 additions and 1 deletions

View File

@ -0,0 +1,81 @@
From a43d621ae83c89abb74764f0fd9d90a8e9992333 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Thu, 5 May 2022 17:15:12 +0200
Subject: [PATCH] Allow krad UDP/TCP localhost connection with FIPS
libkrad allows to establish connections only to UNIX socket in FIPS
mode, because MD5 digest is not considered safe enough to be used for
network communication. However, FreeRadius requires connection on TCP or
UDP ports.
This commit allows TCP or UDP connections in FIPS mode if destination is
localhost.
Resolves: rhbz#2082189
---
src/lib/krad/remote.c | 35 +++++++++++++++++++++++++++++++++--
1 file changed, 33 insertions(+), 2 deletions(-)
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
index 7b5804b1d..e671bc5c2 100644
--- a/src/lib/krad/remote.c
+++ b/src/lib/krad/remote.c
@@ -33,6 +33,7 @@
#include <string.h>
#include <unistd.h>
+#include <stdbool.h>
#include <sys/un.h>
@@ -74,6 +75,35 @@ on_io(verto_ctx *ctx, verto_ev *ev);
static void
on_timeout(verto_ctx *ctx, verto_ev *ev);
+static in_addr_t get_in_addr(struct addrinfo *info)
+{ return ((struct sockaddr_in *)(info->ai_addr))->sin_addr.s_addr; }
+
+static struct in6_addr *get_in6_addr(struct addrinfo *info)
+{ return &(((struct sockaddr_in6 *)(info->ai_addr))->sin6_addr); }
+
+static bool is_inet_localhost(struct addrinfo *info)
+{
+ struct addrinfo *p;
+
+ for (p = info; p; p = p->ai_next) {
+ switch (p->ai_family) {
+ case AF_INET:
+ if (IN_LOOPBACKNET != (get_in_addr(p) & IN_CLASSA_NET
+ >> IN_CLASSA_NSHIFT))
+ return false;
+ break;
+ case AF_INET6:
+ if (!IN6_IS_ADDR_LOOPBACK(get_in6_addr(p)))
+ return false;
+ break;
+ default:
+ return false;
+ }
+ }
+
+ return true;
+}
+
/* Iterate over the set of outstanding packets. */
static const krad_packet *
iterator(request **out)
@@ -455,8 +485,9 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs,
(krad_packet_iter_cb)iterator, &r, &tmp);
if (retval != 0)
goto error;
- else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL &&
- rr->info->ai_family != AF_UNIX) {
+ else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL
+ && rr->info->ai_family != AF_UNIX
+ && !is_inet_localhost(rr->info)) {
/* This would expose cleartext passwords, so abort. */
retval = ESOCKTNOSUPPORT;
goto error;
--
2.35.1

View File

@ -42,7 +42,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.19.2
Release: %{?zdpd}10%{?dist}
Release: %{?zdpd}11%{?dist}
# rharwood has trust path to signing key and verifies on check-in
Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
@ -99,6 +99,7 @@ Patch38: krb5-krad-remote.patch
Patch39: krb5-krad-larger-attrs.patch
Patch40: Try-harder-to-avoid-password-change-replay-errors.patch
Patch41: Add-configure-variable-for-default-PKCS-11-module.patch
Patch42: downstream-Allow-krad-UDP-TCP-localhost-connection-with-FIPS.patch
License: MIT
URL: https://web.mit.edu/kerberos/www/
@ -649,6 +650,10 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Thu May 12 2022 Julien Rische <jrische@redhat.com> - 1.19.2-11
- Allow libkrad UDP/TCP connection to localhost in FIPS mode
- Resolves: rhbz#2082189
* Mon May 2 2022 Julien Rische <jrische@redhat.com> - 1.19.2-10
- Use p11-kit as default PKCS11 module
- Resolves: rhbz#2073274