Add WITH_FIPS macro to CFLAGS

We need this flag added to CFLAGS in order for FreeRADIUS to run under a
system in FIPS mode.

Resolves: 2083699
Signed-off-by: Antonio Torres <antorres@redhat.com>
This commit is contained in:
Antonio Torres 2022-05-30 18:58:12 +02:00
parent d83b583a42
commit a9061bf663
No known key found for this signature in database
GPG Key ID: 359FAF777296F653
2 changed files with 11 additions and 82 deletions

View File

@ -7,12 +7,9 @@ Related: rhbz#1978216
Related: rhbz#2083699
Signed-off-by: Antonio Torres <antorres@redhat.com>
[antorres@redhat.com]: commit 947d5d6bd2674a60f7320f0b721e4723243c2285 is backported
manually to avoid issues when applying on top of 3.0.21 tag. Because of this, files configure
and configure.ac only contain changes (adapted) from this commit, not other changes from upstream state.
[antorres@redhat.com]: these changes include the macro WITH_FIPS, which allows FreeRADIUS
to work on top of OpenSSL 3.0 when the system is in FIPS mode. We enable this macro on the specfile.
---
configure | 19 +
configure.ac | 19 +
share/dictionary.freeradius.internal | 54 +-
src/include/build.h | 25 +-
src/include/libradius.h | 23 +-
@ -69,82 +66,8 @@ and configure.ac only contain changes (adapted) from this commit, not other chan
src/modules/rlm_wimax/milenage.h | 128 ++
src/modules/rlm_wimax/rlm_wimax.c | 429 ++++-
src/tests/keywords/md4 | 58 +
58 files changed, 5951 insertions(+), 1205 deletions(-)
56 files changed, 5913 insertions(+), 1205 deletions(-)
diff --git a/configure b/configure
index edf08649a0..5b58f76c97 100755
--- a/configure
+++ b/configure
@@ -736,6 +736,7 @@ ac_subst_files=''
ac_user_opts='
enable_option_checking
enable_developer
+enable_fips_workaround
enable_largefile
enable_strict_dependencies
enable_werror
@@ -1406,6 +1407,7 @@ Optional Features:
--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
--enable-developer enables features of interest to developers.
+ --enable-fips-workaround enables local MD4, MD5, etc. functionality to avoid OpenSSL FIPS issues.
--disable-largefile omit support for large files
--enable-strict-dependencies fail configure on lack of module dependancy.
--enable-werror causes the build to fail if any warnings are generated.
@@ -2486,6 +2488,23 @@ if test "x$developer" = "xyes"; then
: ${CFLAGS=-g3}
fi
+# Check whether --enable-fips-workaround was given.
+if test ${enable_fips_workaround+y}
+then :
+ enableval=$enable_fips_workaround; case "$enableval" in
+ no)
+ fips=""
+ ;;
+ *)
+ fips="yes"
+ esac
+else $as_nop
+ fips=""
+fi
+
+if test "x$fips" = "xyes"; then
+$as_echo "#define WITH_FIPS 1" >>confdefs.h
+fi
ac_aux_dir=
for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do
diff --git a/configure.ac b/configure.ac
index c72511ab39..10b7cc02c0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -100,6 +100,25 @@ if test "x$developer" = "xyes"; then
: ${CFLAGS=-g3}
fi
+dnl #
+dnl # Hard-code FIPS support/
+dnl #
+AC_ARG_ENABLE(fips-workaround,
+[ --enable-fips-workaround enables local MD4, MD5, etc. functionality to avoid OpenSSL FIPS issues.],
+[ case "$enableval" in
+ no)
+ fips=""
+ ;;
+ *)
+ fips="yes"
+ esac ],
+[ fips="" ],
+)
+if test "x$fips" != "xyes"; then
+ AC_DEFINE(WITH_FIPS, [1], [define if you want FIPS support])
+fi
+AC_SUBST(WITH_FIPS)
+
dnl #############################################################
dnl #
dnl # 0. Checks for compiler, libtool, and command line options.
diff --git a/share/dictionary.freeradius.internal b/share/dictionary.freeradius.internal
index 724e1f7ff6..347e3e59f3 100644
--- a/share/dictionary.freeradius.internal

View File

@ -1,7 +1,7 @@
Summary: High-performance and highly configurable free RADIUS server
Name: freeradius
Version: 3.0.21
Release: 31%{?dist}
Release: 32%{?dist}
License: GPLv2+ and LGPLv2+
URL: http://www.freeradius.org/
@ -228,6 +228,9 @@ sed 's/rlm_python/rlm_python3/g' src/modules/stable -i
export PY3_LIB_DIR="$(python3-config --configdir)"
export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_var("INCLUDEPY"))')"
# Enable FIPS support
%global build_cflags %{build_cflags} -DWITH_FIPS
# In order for the above hack to stick, do a fake configure so
# we can run reconfig before cleaning up after ourselves and running
# configure for real.
@ -237,7 +240,6 @@ export PY3_INC_DIR="$(python3 -c 'import sysconfig; print(sysconfig.get_config_v
--libdir=%{_libdir}/freeradius \
--enable-reproducible-builds \
--disable-openssl-version-check \
--enable-fips-workaround \
--with-openssl \
--with-udpfromto \
--with-threads \
@ -859,6 +861,10 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
%changelog
* Mon May 30 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-32
- Add WITH_FIPS macro to CFLAGS
Related: rhbz#2083699
* Tue May 24 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-31
- Update OpenSSL 3.0 support backport to current v3.0.x branch state
- Add "--enable-fips-workaround" to build options