Bug 1088778

Summary: radiusd couldn't be started in FIPS mode if rlm_eap module is loaded
Product: Red Hat Enterprise Linux 6 Reporter: David Spurek <dspurek>
Component: freeradiusAssignee: Nikolai Kondrashov <nikolai.kondrashov>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.5CC: dpal, ebenes, omoris
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1088782 (view as bug list) Environment:
Last Closed: 2014-08-25 10:12:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 13077, 691449, 1088782    

Description David Spurek 2014-04-17 07:35:54 UTC 
Description of problem:
radiusd couldn't be started in FIPS mode if rlm_eap module is loaded


Version-Release number of selected component (if applicable):
freeradius-2.1.12-4.el6_3

How reproducible:


Steps to Reproduce:
1.run radiusd-X
2.
3.

Actual results:
radiusd -X fails with
rlm_eap_tls: Couldn't set ephemeral RSA key
rlm_eap: Failed to initialize type tls
/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"

Expected results:
radiusd is running

Additional info:
Error message tls: Couldn't set ephemeral RSA key comes from generate_eph_rsa_key function in src/main/tls.c

This function calls RSA_generate_key(512, RSA_F4, NULL, NULL); which is the probably source of the problem.
Comment 3 Nikolai Kondrashov 2014-08-25 10:12:28 UTC 
Closing as WONTFIX as fixing this won't make radiusd function in FIPS mode anyway, due to protocol requiring the use of MD5 which is not permitted in FIPS mode.