Allow krad UDP/TCP localhost connection with FIPS
libkrad allows to establish connections only to UNIX socket in FIPS mode, because MD5 digest is not considered safe enough to be used for network communication. However, FreeRadius requires connection on TCP or UDP ports. This commit allows TCP or UDP connections in FIPS mode if destination is localhost. Resolves: rhbz#2082189 Signed-off-by: Julien Rische <jrische@redhat.com>
This commit is contained in:
Julien Rische
parent
c25a51c969
commit
e9188f0caa
@ -0,0 +1,81 @@
|
||||
From a43d621ae83c89abb74764f0fd9d90a8e9992333 Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Thu, 5 May 2022 17:15:12 +0200
|
||||
Subject: [PATCH] Allow krad UDP/TCP localhost connection with FIPS
|
||||
|
||||
libkrad allows to establish connections only to UNIX socket in FIPS
|
||||
mode, because MD5 digest is not considered safe enough to be used for
|
||||
network communication. However, FreeRadius requires connection on TCP or
|
||||
UDP ports.
|
||||
|
||||
This commit allows TCP or UDP connections in FIPS mode if destination is
|
||||
localhost.
|
||||
|
||||
Resolves: rhbz#2082189
|
||||
---
|
||||
src/lib/krad/remote.c | 35 +++++++++++++++++++++++++++++++++--
|
||||
1 file changed, 33 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
|
||||
index 7b5804b1d..e671bc5c2 100644
|
||||
--- a/src/lib/krad/remote.c
|
||||
+++ b/src/lib/krad/remote.c
|
||||
@@ -33,6 +33,7 @@
|
||||
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
+#include <stdbool.h>
|
||||
|
||||
#include <sys/un.h>
|
||||
|
||||
@@ -74,6 +75,35 @@ on_io(verto_ctx *ctx, verto_ev *ev);
|
||||
static void
|
||||
on_timeout(verto_ctx *ctx, verto_ev *ev);
|
||||
|
||||
+static in_addr_t get_in_addr(struct addrinfo *info)
|
||||
+{ return ((struct sockaddr_in *)(info->ai_addr))->sin_addr.s_addr; }
|
||||
+
|
||||
+static struct in6_addr *get_in6_addr(struct addrinfo *info)
|
||||
+{ return &(((struct sockaddr_in6 *)(info->ai_addr))->sin6_addr); }
|
||||
+
|
||||
+static bool is_inet_localhost(struct addrinfo *info)
|
||||
+{
|
||||
+ struct addrinfo *p;
|
||||
+
|
||||
+ for (p = info; p; p = p->ai_next) {
|
||||
+ switch (p->ai_family) {
|
||||
+ case AF_INET:
|
||||
+ if (IN_LOOPBACKNET != (get_in_addr(p) & IN_CLASSA_NET
|
||||
+ >> IN_CLASSA_NSHIFT))
|
||||
+ return false;
|
||||
+ break;
|
||||
+ case AF_INET6:
|
||||
+ if (!IN6_IS_ADDR_LOOPBACK(get_in6_addr(p)))
|
||||
+ return false;
|
||||
+ break;
|
||||
+ default:
|
||||
+ return false;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return true;
|
||||
+}
|
||||
+
|
||||
/* Iterate over the set of outstanding packets. */
|
||||
static const krad_packet *
|
||||
iterator(request **out)
|
||||
@@ -455,8 +485,9 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs,
|
||||
(krad_packet_iter_cb)iterator, &r, &tmp);
|
||||
if (retval != 0)
|
||||
goto error;
|
||||
- else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL &&
|
||||
- rr->info->ai_family != AF_UNIX) {
|
||||
+ else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL
|
||||
+ && rr->info->ai_family != AF_UNIX
|
||||
+ && !is_inet_localhost(rr->info)) {
|
||||
/* This would expose cleartext passwords, so abort. */
|
||||
retval = ESOCKTNOSUPPORT;
|
||||
goto error;
|
||||
--
|
||||
2.35.1
|
||||
|
||||
@ -42,7 +42,7 @@
|
||||
Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.19.2
|
||||
Release: %{?zdpd}10%{?dist}
|
||||
Release: %{?zdpd}11%{?dist}
|
||||
|
||||
# rharwood has trust path to signing key and verifies on check-in
|
||||
Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz
|
||||
@ -99,6 +99,7 @@ Patch38: krb5-krad-remote.patch
|
||||
Patch39: krb5-krad-larger-attrs.patch
|
||||
Patch40: Try-harder-to-avoid-password-change-replay-errors.patch
|
||||
Patch41: Add-configure-variable-for-default-PKCS-11-module.patch
|
||||
Patch42: downstream-Allow-krad-UDP-TCP-localhost-connection-with-FIPS.patch
|
||||
|
||||
License: MIT
|
||||
URL: https://web.mit.edu/kerberos/www/
|
||||
@ -649,6 +650,10 @@ exit 0
|
||||
%{_libdir}/libkadm5srv_mit.so.*
|
||||
|
||||
%changelog
|
||||
* Thu May 12 2022 Julien Rische <jrische@redhat.com> - 1.19.2-11
|
||||
- Allow libkrad UDP/TCP connection to localhost in FIPS mode
|
||||
- Resolves: rhbz#2082189
|
||||
|
||||
* Mon May 2 2022 Julien Rische <jrische@redhat.com> - 1.19.2-10
|
||||
- Use p11-kit as default PKCS11 module
|
||||
- Resolves: rhbz#2073274
|
||||
|
||||
Loading…
Reference in New Issue
Block a user