Bypass OpenSSL's restrictions to use KRB5KDF in FIPS mode in case at
least one of AES SHA-1 HMAC encryption types are used.
Use OpenSSL 3.0 library context to access MD4 and MD5 lazily from
legacy provider if RADIUS is being used or RC4 encryption type is
enabled, without affecting global context.
Such exceptions should not be allowed by the default FIPS crypto
policy.
Signed-off-by: Julien Rische <jrische@redhat.com>
Also set "supportedCMSTypes" to SHA-512/256 with RSA encryption
Resolves: rhbz#2124463
Resolves: rhbz#2114766
Signed-off-by: Julien Rische <jrische@redhat.com>
There is at least one case (with flatpaks) where configuration files
in the special read-only /etc all have an mtime of 0. Using an
initial last modified time of 0 in g_initialize.c causes these files
to never be read.
Change the initial high value to the be the "invalid" value
(time_t)-1. Since the C and POSIX standards do not require time_t to
be signed, special-case the checks in load_if_changed() and
updateMechList() to treat all mod times as newer than -1.
Signed-off-by: Julien Rische <jrische@redhat.com>
libkrad allows to establish connections only to UNIX socket in FIPS
mode, because MD5 digest is not considered safe enough to be used for
network communication. However, FreeRadius requires connection on TCP or
UDP ports.
This commit allows TCP or UDP connections in FIPS mode if destination is
localhost.
Resolves: rhbz#2082189
Signed-off-by: Julien Rische <jrische@redhat.com>
change_set_password() was changed to prefer TCP. However, because
UDP_LAST falls back to UDP after one second, we can still get a replay
error due to a dropped packet, before the TCP layer has a chance to
retry.
Instead, try k5_sendto() with NO_UDP, and only fall back to UDP after
TCP fails completely without reaching a server. In sendto_kdc.c,
implement an ONLY_UDP transport strategy to allow the UDP fallback.
Resolves: rhbz#2076965
Signed-off-by: Julien Rische <jrische@redhat.com>
In kr_attrset_decode(), explicitly treat the length byte as unsigned.
Otherwise attributes longer than 125 characters will be rejected with
EBADMSG.
Add a 253-character-long NAS-Identifier attribute to the tests to make
sure that attributes with the maximal number of characters are working
as expected.
[ghudson@mit.edu: used uint8_t cast per current practices; edited
commit message]
ticket: 9036 (new)
From upstream, needed in preparation for OAuth2 support for FreeIPA and
SSSD.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
CMS digest and signature algorithm for the anonymous PKINIT is changed
from SHA-1 to SHA-256. SHA-1 hasn't been considered secure anymore for
this kind of purposes for some years already.
Resolves: rhbz#2067121
Signed-off-by: Julien Rische <jrische@redhat.com>
1.15.1 was ~2017, so there is no need to support upgrades from such old
systemd. This allows the dependency on grep to be dropped. grep pulls
in pcre, but most other programs in the core group depend on the newer
pcre2, so it's nicer to avoid pulling in pcre in minimal installations.
Currently the gating file prevents building:
rharwood@eesha:~/krb5.fedora/rawhide$ fedpkg build
Could not execute build: Found a gating.yaml file in your repo with additional Greenwave policies, but it is not valid.
Please fix the file or skip this check using the option --skip-remote-rules-validation.
Error response from Greenwave: YAML Parser Error: mapping values are not allowed here
in "<unicode string>", line 2, column 18:
product_versions:
^
rharwood@eesha:~/krb5.fedora/rawhide$
Patches to add it back will be considered if and only if they don't
break the build.
