|
 |
905476 |
From 813f3840c7b9f32c1d96dcd847be91fe545653eb Mon Sep 17 00:00:00 2001
|
|
|
8874ae |
From: Julien Rische <jrische@redhat.com>
|
|
|
8874ae |
Date: Thu, 5 May 2022 17:15:12 +0200
|
|
|
905476 |
Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection
|
|
|
905476 |
with FIPS
|
|
|
8874ae |
|
|
|
8874ae |
libkrad allows to establish connections only to UNIX socket in FIPS
|
|
|
8874ae |
mode, because MD5 digest is not considered safe enough to be used for
|
|
|
8874ae |
network communication. However, FreeRadius requires connection on TCP or
|
|
|
8874ae |
UDP ports.
|
|
|
8874ae |
|
|
|
8874ae |
This commit allows TCP or UDP connections in FIPS mode if destination is
|
|
|
8874ae |
localhost.
|
|
|
8874ae |
|
|
|
905476 |
Resolves: rhbz#2082189
|
|
|
8874ae |
---
|
|
|
905476 |
src/lib/krad/remote.c | 35 +++++++++++++++++++++++++++++++++--
|
|
|
905476 |
1 file changed, 33 insertions(+), 2 deletions(-)
|
|
|
8874ae |
|
|
|
8874ae |
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
|
|
|
905476 |
index 929f1cef67..063f17a613 100644
|
|
|
8874ae |
--- a/src/lib/krad/remote.c
|
|
|
8874ae |
+++ b/src/lib/krad/remote.c
|
|
|
8874ae |
@@ -33,6 +33,7 @@
|
|
|
8874ae |
|
|
|
8874ae |
#include <string.h>
|
|
|
8874ae |
#include <unistd.h>
|
|
|
8874ae |
+#include <stdbool.h>
|
|
|
8874ae |
|
|
|
8874ae |
#include <sys/un.h>
|
|
|
8874ae |
|
|
|
905476 |
@@ -74,6 +75,35 @@ on_io(verto_ctx *ctx, verto_ev *ev);
|
|
|
8874ae |
static void
|
|
|
8874ae |
on_timeout(verto_ctx *ctx, verto_ev *ev);
|
|
|
8874ae |
|
|
|
8874ae |
+static in_addr_t get_in_addr(struct addrinfo *info)
|
|
|
8874ae |
+{ return ((struct sockaddr_in *)(info->ai_addr))->sin_addr.s_addr; }
|
|
|
8874ae |
+
|
|
|
8874ae |
+static struct in6_addr *get_in6_addr(struct addrinfo *info)
|
|
|
8874ae |
+{ return &(((struct sockaddr_in6 *)(info->ai_addr))->sin6_addr); }
|
|
|
8874ae |
+
|
|
|
8874ae |
+static bool is_inet_localhost(struct addrinfo *info)
|
|
|
8874ae |
+{
|
|
|
8874ae |
+ struct addrinfo *p;
|
|
|
8874ae |
+
|
|
|
8874ae |
+ for (p = info; p; p = p->ai_next) {
|
|
|
8874ae |
+ switch (p->ai_family) {
|
|
|
8874ae |
+ case AF_INET:
|
|
|
8874ae |
+ if (IN_LOOPBACKNET != (get_in_addr(p) & IN_CLASSA_NET
|
|
|
8874ae |
+ >> IN_CLASSA_NSHIFT))
|
|
|
8874ae |
+ return false;
|
|
|
8874ae |
+ break;
|
|
|
8874ae |
+ case AF_INET6:
|
|
|
8874ae |
+ if (!IN6_IS_ADDR_LOOPBACK(get_in6_addr(p)))
|
|
|
8874ae |
+ return false;
|
|
|
8874ae |
+ break;
|
|
|
8874ae |
+ default:
|
|
|
8874ae |
+ return false;
|
|
|
8874ae |
+ }
|
|
|
8874ae |
+ }
|
|
|
8874ae |
+
|
|
|
8874ae |
+ return true;
|
|
|
8874ae |
+}
|
|
|
8874ae |
+
|
|
|
8874ae |
/* Iterate over the set of outstanding packets. */
|
|
|
8874ae |
static const krad_packet *
|
|
|
8874ae |
iterator(request **out)
|
|
|
905476 |
@@ -460,8 +490,9 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs,
|
|
|
8874ae |
(krad_packet_iter_cb)iterator, &r, &tmp);
|
|
|
8874ae |
if (retval != 0)
|
|
|
8874ae |
goto error;
|
|
|
8874ae |
- else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL &&
|
|
|
8874ae |
- rr->info->ai_family != AF_UNIX) {
|
|
|
8874ae |
+ else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL
|
|
|
8874ae |
+ && rr->info->ai_family != AF_UNIX
|
|
|
8874ae |
+ && !is_inet_localhost(rr->info)) {
|
|
|
8874ae |
/* This would expose cleartext passwords, so abort. */
|
|
|
8874ae |
retval = ESOCKTNOSUPPORT;
|
|
|
8874ae |
goto error;
|
|
|
8874ae |
--
|
|
|
905476 |
2.38.1
|
|
|
8874ae |
|