diff --git a/downstream-Allow-krad-UDP-TCP-localhost-connection-with-FIPS.patch b/downstream-Allow-krad-UDP-TCP-localhost-connection-with-FIPS.patch new file mode 100644 index 0000000..7455cb9 --- /dev/null +++ b/downstream-Allow-krad-UDP-TCP-localhost-connection-with-FIPS.patch @@ -0,0 +1,81 @@ +From a43d621ae83c89abb74764f0fd9d90a8e9992333 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Thu, 5 May 2022 17:15:12 +0200 +Subject: [PATCH] Allow krad UDP/TCP localhost connection with FIPS + +libkrad allows to establish connections only to UNIX socket in FIPS +mode, because MD5 digest is not considered safe enough to be used for +network communication. However, FreeRadius requires connection on TCP or +UDP ports. + +This commit allows TCP or UDP connections in FIPS mode if destination is +localhost. + +Resolves: rhbz#2082189 +--- + src/lib/krad/remote.c | 35 +++++++++++++++++++++++++++++++++-- + 1 file changed, 33 insertions(+), 2 deletions(-) + +diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c +index 7b5804b1d..e671bc5c2 100644 +--- a/src/lib/krad/remote.c ++++ b/src/lib/krad/remote.c +@@ -33,6 +33,7 @@ + + #include + #include ++#include + + #include + +@@ -74,6 +75,35 @@ on_io(verto_ctx *ctx, verto_ev *ev); + static void + on_timeout(verto_ctx *ctx, verto_ev *ev); + ++static in_addr_t get_in_addr(struct addrinfo *info) ++{ return ((struct sockaddr_in *)(info->ai_addr))->sin_addr.s_addr; } ++ ++static struct in6_addr *get_in6_addr(struct addrinfo *info) ++{ return &(((struct sockaddr_in6 *)(info->ai_addr))->sin6_addr); } ++ ++static bool is_inet_localhost(struct addrinfo *info) ++{ ++ struct addrinfo *p; ++ ++ for (p = info; p; p = p->ai_next) { ++ switch (p->ai_family) { ++ case AF_INET: ++ if (IN_LOOPBACKNET != (get_in_addr(p) & IN_CLASSA_NET ++ >> IN_CLASSA_NSHIFT)) ++ return false; ++ break; ++ case AF_INET6: ++ if (!IN6_IS_ADDR_LOOPBACK(get_in6_addr(p))) ++ return false; ++ break; ++ default: ++ return false; ++ } ++ } ++ ++ return true; ++} ++ + /* Iterate over the set of outstanding packets. */ + static const krad_packet * + iterator(request **out) +@@ -455,8 +485,9 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs, + (krad_packet_iter_cb)iterator, &r, &tmp); + if (retval != 0) + goto error; +- else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL && +- rr->info->ai_family != AF_UNIX) { ++ else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL ++ && rr->info->ai_family != AF_UNIX ++ && !is_inet_localhost(rr->info)) { + /* This would expose cleartext passwords, so abort. */ + retval = ESOCKTNOSUPPORT; + goto error; +-- +2.35.1 + diff --git a/krb5.spec b/krb5.spec index c59f2d0..89ed921 100644 --- a/krb5.spec +++ b/krb5.spec @@ -42,7 +42,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.19.2 -Release: %{?zdpd}10%{?dist} +Release: %{?zdpd}11%{?dist} # rharwood has trust path to signing key and verifies on check-in Source0: https://web.mit.edu/kerberos/dist/krb5/%{version}/krb5-%{version}%{?dashpre}.tar.gz @@ -99,6 +99,7 @@ Patch38: krb5-krad-remote.patch Patch39: krb5-krad-larger-attrs.patch Patch40: Try-harder-to-avoid-password-change-replay-errors.patch Patch41: Add-configure-variable-for-default-PKCS-11-module.patch +Patch42: downstream-Allow-krad-UDP-TCP-localhost-connection-with-FIPS.patch License: MIT URL: https://web.mit.edu/kerberos/www/ @@ -649,6 +650,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Thu May 12 2022 Julien Rische - 1.19.2-11 +- Allow libkrad UDP/TCP connection to localhost in FIPS mode +- Resolves: rhbz#2082189 + * Mon May 2 2022 Julien Rische - 1.19.2-10 - Use p11-kit as default PKCS11 module - Resolves: rhbz#2073274