Bypass OpenSSL's restrictions to use KRB5KDF in FIPS mode in case at
least one of AES SHA-1 HMAC encryption types are used.
Use OpenSSL 3.0 library context to access MD4 and MD5 lazily from
legacy provider if RADIUS is being used or RC4 encryption type is
enabled, without affecting global context.
Such exceptions should not be allowed by the default FIPS crypto
policy.
Resolves: rhbz#2162461
Signed-off-by: Julien Rische <jrische@redhat.com>
The sssd_krb5_locator_plugin.so plugin provided by sssd-client conflicts
with the upstream test t_discover_uri.py. The test has to be modified in
order to avoid false positive.
Resolves: rhbz#2151513
Signed-off-by: Julien Rische <jrische@redhat.com>
If the dump file size does not fit in 32 bits, encode four zero bytes
(forcing an error for unmodified kpropd) followed by the size in the
next 64 bits.
Add a functional test case, but only run it when an environment
variable is set, as processing a 4GB dump file is too
resource-intensive for make check.
Resolves: rhbz#2133014
Signed-off-by: Julien Rische <jrische@redhat.com>
In kr_attrset_decode(), explicitly treat the length byte as unsigned.
Otherwise attributes longer than 125 characters will be rejected with
EBADMSG.
Add a 253-character-long NAS-Identifier attribute to the tests to make
sure that attributes with the maximal number of characters are working
as expected.
[ghudson@mit.edu: used uint8_t cast per current practices; edited
commit message]
ticket: 9036 (new)
From upstream, needed in preparation for OAuth2 support for FreeIPA and
SSSD.
Resolves: rhbz#2100351
Signed-off-by: Julien Rische <jrische@redhat.com>
MD4 cipher requires OpenSSL3's "legacy" provider, while MD5 fetched from
the "default" one. Both ciphers are unavailable in FIPS mode, however
MD5 is tolerated for RADIUS requests on local host.
The OpenSSL3 library context was missing the "default" provider, causing
MD5 encryption to fail in FIPS mode.
Resolves: rhbz#2068458
Signed-off-by: Julien Rische <jrische@redhat.com>
libkrad allows to establish connections only to UNIX socket in FIPS
mode, because MD5 digest is not considered safe enough to be used for
network communication. However, FreeRadius requires connection on TCP or
UDP ports.
This commit allows TCP or UDP connections in FIPS mode if destination is
localhost.
Resolves: rhbz#2068458
Signed-off-by: Julien Rische <jrische@redhat.com>
change_set_password() was changed to prefer TCP. However, because
UDP_LAST falls back to UDP after one second, we can still get a replay
error due to a dropped packet, before the TCP layer has a chance to
retry.
Instead, try k5_sendto() with NO_UDP, and only fall back to UDP after
TCP fails completely without reaching a server. In sendto_kdc.c,
implement an ONLY_UDP transport strategy to allow the UDP fallback.
Resolves: rhbz#2075186
Signed-off-by: Julien Rische <jrische@redhat.com>
Global dejagnu tests in src/tests/dejagnu were not following the
enforced test suite directory naming.
Resolves: rhbz#2053133
Signed-off-by: Julien Rische <jrische@redhat.com>
Since version 1.6.3, dejagnu started to enforce a naming convention that
was already in place, but not mandatory: dejagnu test directories have
to be named "testsuite". If they don't implicit relative sub-paths
resolution (e.g. "lib", "config") is not forking.
This commit renames kadm5 library's unit tests directory to match this
requirement.
This fix won't be applied upstream because these tests were removed in
version 1.20.
Resolves: rhbz#2053133
Signed-off-by: Julien Rische <jrische@redhat.com>
CMS digest and signature algorithm for the anonymous PKINIT is changed
from SHA-1 to SHA-256. SHA-1 hasn't been considered secure anymore for
this kind of purposes for some years already.
Resolves: rhbz#2064823
Signed-off-by: Julien Rische <jrische@redhat.com>
Bypass OpenSSL's restrictions to use KRB5KDF in FIPS mode in case at
least one of AES SHA-1 HMAC encryption types are used.
Use OpenSSL 3.0 library context to access MD4 and MD5 lazily from
legacy provider if RADIUS is being used or RC4 encryption type is
enabled, without affecting global context.
Remove EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag since does not have any
effect anymore.
Such exceptions should not be allowed by the default FIPS crypto
policy.
Resolves: rhbz#2039684
Resolves: rhbz#2053135
Signed-off-by: Julien Rische <jrische@redhat.com>
