Commit Graph

35 Commits

Author SHA1 Message Date
Julien Rische
08803b1c46 Allow use of larger RADIUS attributes in krad library
In kr_attrset_decode(), explicitly treat the length byte as unsigned.
    Otherwise attributes longer than 125 characters will be rejected with
    EBADMSG.

    Add a 253-character-long NAS-Identifier attribute to the tests to make
    sure that attributes with the maximal number of characters are working
    as expected.

    [ghudson@mit.edu: used uint8_t cast per current practices; edited
    commit message]

    ticket: 9036 (new)

From upstream, needed in preparation for OAuth2 support for FreeIPA and
SSSD.

Resolves: rhbz#2100351

Signed-off-by: Julien Rische <jrische@redhat.com>
2022-06-23 14:48:11 +02:00
Julien Rische
5fafe74f37 Fix libkrad client cleanup code
Resolves: rhbz#2100351

Signed-off-by: Julien Rische <jrische@redhat.com>
2022-06-23 14:47:18 +02:00
Julien Rische
6ea8af6747 Fix OpenSSL 3 MD5 encryption in FIPS mode
MD4 cipher requires OpenSSL3's "legacy" provider, while MD5 fetched from
the "default" one. Both ciphers are unavailable in FIPS mode, however
MD5 is tolerated for RADIUS requests on local host.

The OpenSSL3 library context was missing the "default" provider, causing
MD5 encryption to fail in FIPS mode.

Resolves: rhbz#2068458

Signed-off-by: Julien Rische <jrische@redhat.com>
2022-05-25 11:49:51 +02:00
Julien Rische
d78e3940d1 Allow krad UDP/TCP localhost connection with FIPS
libkrad allows to establish connections only to UNIX socket in FIPS
mode, because MD5 digest is not considered safe enough to be used for
network communication. However, FreeRadius requires connection on TCP or
UDP ports.

This commit allows TCP or UDP connections in FIPS mode if destination is
localhost.

Resolves: rhbz#2068458

Signed-off-by: Julien Rische <jrische@redhat.com>
2022-05-25 10:13:47 +02:00
Julien Rische
99ca133dd0 Use p11-kit as default PKCS11 module
Resolves: rhbz#2030981

Signed-off-by: Julien Rische <jrische@redhat.com>
2022-05-03 17:07:12 +02:00
Julien Rische
4262e013b4 Try harder to avoid password change replay errors
change_set_password() was changed to prefer TCP.  However, because
UDP_LAST falls back to UDP after one second, we can still get a replay
error due to a dropped packet, before the TCP layer has a chance to
retry.

Instead, try k5_sendto() with NO_UDP, and only fall back to UDP after
TCP fails completely without reaching a server.  In sendto_kdc.c,
implement an ONLY_UDP transport strategy to allow the UDP fallback.

Resolves: rhbz#2075186

Signed-off-by: Julien Rische <jrische@redhat.com>
2022-04-26 15:32:34 +02:00
Julien Rische
670d3af2d8 Fix global dejagnu test suite
Global dejagnu tests in src/tests/dejagnu were not following the
enforced test suite directory naming.

Resolves: rhbz#2053133

Signed-off-by: Julien Rische <jrische@redhat.com>
2022-04-11 12:03:13 +02:00
Julien Rische
72dec680b5 Use newly enforced dejagnu path naming convention
Since version 1.6.3, dejagnu started to enforce a naming convention that
was already in place, but not mandatory: dejagnu test directories have
to be named "testsuite". If they don't implicit relative sub-paths
resolution (e.g. "lib", "config") is not forking.

This commit renames kadm5 library's unit tests directory to match this
requirement.

This fix won't be applied upstream because these tests were removed in
version 1.20.

Resolves: rhbz#2053133

Signed-off-by: Julien Rische <jrische@redhat.com>
2022-03-31 19:03:03 +02:00
Julien Rische
743ee90668 Use SHA-256 instead of SHA-1 for PKINIT CMS digest
CMS digest and signature algorithm for the anonymous PKINIT is changed
from SHA-1 to SHA-256. SHA-1 hasn't been considered secure anymore for
this kind of purposes for some years already.

Resolves: rhbz#2064823

Signed-off-by: Julien Rische <jrische@redhat.com>
2022-03-16 17:49:06 +01:00
Julien Rische
d5c38cc27b Do not block KRB5KDF and MD4/5 in FIPS mode
Bypass OpenSSL's restrictions to use KRB5KDF in FIPS mode in case at
least one of AES SHA-1 HMAC encryption types are used.

Use OpenSSL 3.0 library context to access MD4 and MD5 lazily from
legacy provider if RADIUS is being used or RC4 encryption type is
enabled, without affecting global context.

Remove EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag since does not have any
effect anymore.

Such exceptions should not be allowed by the default FIPS crypto
policy.

Resolves: rhbz#2039684
Resolves: rhbz#2053135

Signed-off-by: Julien Rische <jrische@redhat.com>
2022-02-28 14:19:37 +01:00
Antonio Torres
859e264a8c Remove -specs= from krb5-config output
Resolves: bz#1997021
Signed-off-by: Antonio Torres <antorres@redhat.com>
2021-12-17 14:12:12 +01:00
Antonio Torres
f34cb373a2 Fix KDC null deref on TGS inner body null server (CVE-2021-37750)
Resolves: #1997602
Signed-off-by: Antonio Torres <antorres@redhat.com>
2021-10-20 17:08:04 +02:00
Mohan Boddu
364706b0c5 Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-08-09 21:12:46 +00:00
Robbie Harwood
d14638ed20 Fix KDC null deref on bad encrypted challenge (CVE-2021-36222)
Resolves: #1983733
2021-07-20 14:51:15 -04:00
Robbie Harwood
f1e7f38975 Update OpenSSL 3 provider handling to clean up properly
Resolves: #1955873
2021-07-14 16:32:30 -04:00
Robbie Harwood
e7aeea399f Sync openssl3 patches with upstream
Resolves: #1955873
2021-06-21 13:24:29 -04:00
Robbie Harwood
8855babfbf Add rpminspect and clean up mass rebuild mess
Resolves: #1967505
2021-06-17 18:55:14 -04:00
Robbie Harwood
bbae1053b5 Fix several fallback canonicalization problems
Resolves: #1967505
2021-06-17 17:47:21 -04:00
Mohan Boddu
b99dafad10 - Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-06-15 20:29:45 +00:00
Robbie Harwood
d223dacd67 Backport KCM retrieval fixes
Resolves: #1956403
2021-06-10 15:27:22 -04:00
Robbie Harwood
aec30dcfcb Fix DES3 mention in KDFs
Resolves: #1955873
2021-05-20 10:39:59 -04:00
Robbie Harwood
0018db9e38 Port to OpenSSL 3 (alpha 15)
Resolves: #1955873
2021-05-19 19:58:33 -04:00
Mohan Boddu
028c031c89 - Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-04-16 00:56:33 +00:00
Robbie Harwood
22be492dbf Manual merge with Fedora 34
Update to 1c03da79de
2021-03-09 12:06:44 -05:00
DistroBaker
94bc4ee9cb Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/krb5.git#ab3f34f0e757af2367b8c31b9bd42feae03d0e48
2021-02-18 22:21:10 +00:00
DistroBaker
f7785327ef Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/krb5.git#35a4aa7b99d1eb139f4ae0e0fe87b17ada77a999
2021-02-05 21:26:51 +00:00
DistroBaker
63115b8a52 Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/krb5.git#0dd40e4ff052566efcaa5425c4cb56bd5d23d56f
2021-01-29 07:35:20 +00:00
DistroBaker
0f0d613782 Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/krb5.git#327ebd0b263aa5adaafd83851b8dd9953f984c01
2021-01-27 21:06:42 +00:00
DistroBaker
638537960c Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/krb5.git#9fb5239517e1095421fd19cb964949a1f5594988
2021-01-12 23:24:10 +00:00
DistroBaker
da5db561e5 Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/krb5.git#b783a5421cf5820f19f2e3aeb999ad24de39747e
2020-11-24 18:42:16 +00:00
Troy Dawson
85d9be4ef7 RHEL 9.0.0 Alpha bootstrap
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/krb5#dc8775d11d7134f84024545f21b4561a6bd8dccf
2020-11-18 14:34:00 -08:00
Troy Dawson
dcd44d26dc RHEL 9.0.0 Alpha bootstrap
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/krb5#015255764a8b2e22bcb29b8abd0813344c423da1
2020-11-18 09:51:25 -08:00
DistroBaker
f0185a4c0a Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/krb5.git#d2da394f6768fee0f055e022ccbf4c011586bd93
2020-11-05 18:01:23 +00:00
DistroBaker
2c0634c50d Merged update from upstream sources
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/krb5.git#bfdc7c0b7be1f33f451a173fb1155450fbe25690
2020-10-27 21:13:14 +01:00
Petr Šabata
908aeb56b2 RHEL 9.0.0 Alpha bootstrap
The content of this branch was automatically imported from Fedora ELN
with the following as its source:
https://src.fedoraproject.org/rpms/krb5#501e2980728bcbd0c757fd9bb2b6274342420d2a
2020-10-15 15:05:18 +02:00