freeradius/freeradius-FIPS-exit-if-md5-not-allowed.patch

40 lines
1.5 KiB
Diff
Raw Normal View History

Author: Antonio Torres <antorres@redhat.com>
Date: Fri Jul 2 07:12:48 2021 -0400
Subject: [PATCH] exit if host in FIPS mode and MD5 not explicitly allowed
FIPS does not allow MD5, which FreeRADIUS needs to work. The user should
explicitly allow MD5 usage by setting the RADIUS_MD5_FIPS_OVERRIDE environment
variable to 1 or else FR should exit at start.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1958979
Signed-off-by: Antonio Torres antorres@redhat.com
---
src/main/radiusd.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/src/main/radiusd.c b/src/main/radiusd.c
index 9739514509..58a48895e6 100644
--- a/src/main/radiusd.c
+++ b/src/main/radiusd.c
@@ -298,6 +298,20 @@ int main(int argc, char *argv[])
exit(EXIT_FAILURE);
}
+ /*
+ * If host is in FIPS mode, we need the user to explicitly allow MD5 usage.
+ */
+ char *fips_md5_override = getenv("RADIUS_MD5_FIPS_OVERRIDE");
+ FILE *fips_file = fopen("/proc/sys/crypto/fips_enabled", "r");
+ if (fips_file != NULL) {
+ int fips_enabled = fgetc(fips_file) - '0';
+ fclose(fips_file);
+ if (fips_enabled == 1 && (fips_md5_override == NULL || atoi(fips_md5_override) != 1)) {
+ fprintf(stderr, "Cannot run FreeRADIUS in FIPS mode because it uses MD5. To allow MD5 usage, set RADIUS_MD5_FIPS_OVERRIDE=1 before starting FreeRADIUS.\n");
+ exit(EXIT_FAILURE);
+ }
+ }
+
/*
* According to the talloc peeps, no two threads may modify any part of
* a ctx tree with a common root without synchronisation.