40 lines
1.5 KiB
Diff
40 lines
1.5 KiB
Diff
Author: Antonio Torres <antorres@redhat.com>
|
|
Date: Fri Jul 2 07:12:48 2021 -0400
|
|
Subject: [PATCH] exit if host in FIPS mode and MD5 not explicitly allowed
|
|
|
|
FIPS does not allow MD5, which FreeRADIUS needs to work. The user should
|
|
explicitly allow MD5 usage by setting the RADIUS_MD5_FIPS_OVERRIDE environment
|
|
variable to 1 or else FR should exit at start.
|
|
|
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1958979
|
|
Signed-off-by: Antonio Torres antorres@redhat.com
|
|
---
|
|
src/main/radiusd.c | 14 ++++++++++++++
|
|
1 file changed, 14 insertions(+)
|
|
|
|
diff --git a/src/main/radiusd.c b/src/main/radiusd.c
|
|
index 9739514509..58a48895e6 100644
|
|
--- a/src/main/radiusd.c
|
|
+++ b/src/main/radiusd.c
|
|
@@ -298,6 +298,20 @@ int main(int argc, char *argv[])
|
|
exit(EXIT_FAILURE);
|
|
}
|
|
|
|
+ /*
|
|
+ * If host is in FIPS mode, we need the user to explicitly allow MD5 usage.
|
|
+ */
|
|
+ char *fips_md5_override = getenv("RADIUS_MD5_FIPS_OVERRIDE");
|
|
+ FILE *fips_file = fopen("/proc/sys/crypto/fips_enabled", "r");
|
|
+ if (fips_file != NULL) {
|
|
+ int fips_enabled = fgetc(fips_file) - '0';
|
|
+ fclose(fips_file);
|
|
+ if (fips_enabled == 1 && (fips_md5_override == NULL || atoi(fips_md5_override) != 1)) {
|
|
+ fprintf(stderr, "Cannot run FreeRADIUS in FIPS mode because it uses MD5. To allow MD5 usage, set RADIUS_MD5_FIPS_OVERRIDE=1 before starting FreeRADIUS.\n");
|
|
+ exit(EXIT_FAILURE);
|
|
+ }
|
|
+ }
|
|
+
|
|
/*
|
|
* According to the talloc peeps, no two threads may modify any part of
|
|
* a ctx tree with a common root without synchronisation.
|