|
 |
d1ad9f |
From 813f3840c7b9f32c1d96dcd847be91fe545653eb Mon Sep 17 00:00:00 2001
|
|
|
38a7f7 |
From: Julien Rische <jrische@redhat.com>
|
|
|
38a7f7 |
Date: Thu, 5 May 2022 17:15:12 +0200
|
|
|
d1ad9f |
Subject: [PATCH] [downstream] Allow krad UDP/TCP localhost connection
|
|
|
d1ad9f |
with FIPS
|
|
|
38a7f7 |
|
|
|
38a7f7 |
libkrad allows to establish connections only to UNIX socket in FIPS
|
|
|
38a7f7 |
mode, because MD5 digest is not considered safe enough to be used for
|
|
|
38a7f7 |
network communication. However, FreeRadius requires connection on TCP or
|
|
|
38a7f7 |
UDP ports.
|
|
|
38a7f7 |
|
|
|
38a7f7 |
This commit allows TCP or UDP connections in FIPS mode if destination is
|
|
|
38a7f7 |
localhost.
|
|
|
38a7f7 |
|
|
|
d1ad9f |
Resolves: rhbz#2082189
|
|
|
38a7f7 |
---
|
|
|
d1ad9f |
src/lib/krad/remote.c | 35 +++++++++++++++++++++++++++++++++--
|
|
|
d1ad9f |
1 file changed, 33 insertions(+), 2 deletions(-)
|
|
|
38a7f7 |
|
|
|
38a7f7 |
diff --git a/src/lib/krad/remote.c b/src/lib/krad/remote.c
|
|
|
d1ad9f |
index 929f1cef67..063f17a613 100644
|
|
|
38a7f7 |
--- a/src/lib/krad/remote.c
|
|
|
38a7f7 |
+++ b/src/lib/krad/remote.c
|
|
|
38a7f7 |
@@ -33,6 +33,7 @@
|
|
|
38a7f7 |
|
|
|
38a7f7 |
#include <string.h>
|
|
|
38a7f7 |
#include <unistd.h>
|
|
|
38a7f7 |
+#include <stdbool.h>
|
|
|
38a7f7 |
|
|
|
38a7f7 |
#include <sys/un.h>
|
|
|
38a7f7 |
|
|
|
d1ad9f |
@@ -74,6 +75,35 @@ on_io(verto_ctx *ctx, verto_ev *ev);
|
|
|
38a7f7 |
static void
|
|
|
38a7f7 |
on_timeout(verto_ctx *ctx, verto_ev *ev);
|
|
|
38a7f7 |
|
|
|
38a7f7 |
+static in_addr_t get_in_addr(struct addrinfo *info)
|
|
|
38a7f7 |
+{ return ((struct sockaddr_in *)(info->ai_addr))->sin_addr.s_addr; }
|
|
|
38a7f7 |
+
|
|
|
38a7f7 |
+static struct in6_addr *get_in6_addr(struct addrinfo *info)
|
|
|
38a7f7 |
+{ return &(((struct sockaddr_in6 *)(info->ai_addr))->sin6_addr); }
|
|
|
38a7f7 |
+
|
|
|
38a7f7 |
+static bool is_inet_localhost(struct addrinfo *info)
|
|
|
38a7f7 |
+{
|
|
|
38a7f7 |
+ struct addrinfo *p;
|
|
|
38a7f7 |
+
|
|
|
38a7f7 |
+ for (p = info; p; p = p->ai_next) {
|
|
|
38a7f7 |
+ switch (p->ai_family) {
|
|
|
38a7f7 |
+ case AF_INET:
|
|
|
38a7f7 |
+ if (IN_LOOPBACKNET != (get_in_addr(p) & IN_CLASSA_NET
|
|
|
38a7f7 |
+ >> IN_CLASSA_NSHIFT))
|
|
|
38a7f7 |
+ return false;
|
|
|
38a7f7 |
+ break;
|
|
|
38a7f7 |
+ case AF_INET6:
|
|
|
38a7f7 |
+ if (!IN6_IS_ADDR_LOOPBACK(get_in6_addr(p)))
|
|
|
38a7f7 |
+ return false;
|
|
|
38a7f7 |
+ break;
|
|
|
38a7f7 |
+ default:
|
|
|
38a7f7 |
+ return false;
|
|
|
38a7f7 |
+ }
|
|
|
38a7f7 |
+ }
|
|
|
38a7f7 |
+
|
|
|
38a7f7 |
+ return true;
|
|
|
38a7f7 |
+}
|
|
|
38a7f7 |
+
|
|
|
38a7f7 |
/* Iterate over the set of outstanding packets. */
|
|
|
38a7f7 |
static const krad_packet *
|
|
|
38a7f7 |
iterator(request **out)
|
|
|
d1ad9f |
@@ -460,8 +490,9 @@ kr_remote_send(krad_remote *rr, krad_code code, krad_attrset *attrs,
|
|
|
38a7f7 |
(krad_packet_iter_cb)iterator, &r, &tmp);
|
|
|
38a7f7 |
if (retval != 0)
|
|
|
38a7f7 |
goto error;
|
|
|
38a7f7 |
- else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL &&
|
|
|
38a7f7 |
- rr->info->ai_family != AF_UNIX) {
|
|
|
38a7f7 |
+ else if (tmp->is_fips && rr->info->ai_family != AF_LOCAL
|
|
|
38a7f7 |
+ && rr->info->ai_family != AF_UNIX
|
|
|
38a7f7 |
+ && !is_inet_localhost(rr->info)) {
|
|
|
38a7f7 |
/* This would expose cleartext passwords, so abort. */
|
|
|
38a7f7 |
retval = ESOCKTNOSUPPORT;
|
|
|
38a7f7 |
goto error;
|
|
|
38a7f7 |
--
|
|
|
d1ad9f |
2.38.1
|
|
|
38a7f7 |
|