Bug 1958979

Summary: Freeradius works in FIPS although it uses MD5
Product: Red Hat Enterprise Linux 8 Reporter: Filip Dvorak <fdvorak>
Component: freeradiusAssignee: Antonio Torres <antorres>
Status: CLOSED ERRATA QA Contact: Filip Dvorak <fdvorak>
Severity: medium Docs Contact: lmcgarry
Priority: unspecified    
Version: 8.4CC: antorres, fdvorak, lmanasko, lmcgarry, nikolai.kondrashov, pasik
Target Milestone: betaKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeradius-3.0.20-7.module+el8.5.0+11913+a0aa3fd3 Doc Type: If docs needed, set a value
Doc Text:
.FreeRADIUS server fails to run in FIPS mode By default, in FIPS mode, OpenSSL disables the use of the MD5 digest algorithm. As the RADIUS protocol requires MD5 to encrypt a secret between the RADIUS client and the RADIUS server, this causes the FreeRADIUS server to fail in FIPS mode. To work around this problem, follow these steps: .Procedure . Create the environment variable, `RADIUS_MD5_FIPS_OVERRIDE` for the `radiusd` service: + [subs="quotes"] ---- systemctl edit radiusd [Service] Environment=RADIUS_MD5_FIPS_OVERRIDE=1 ---- . To apply the change, reload the `systemd` configuration and start the `radiusd` service: + [subs="quotes"] ---- # systemctl daemon-reload # systemctl start radiusd ---- . To run FreeRADIUS in debug mode: + [subs="quotes"] ---- # RADIUS_MD5_FIPS_OVERRIDE=1 radiusd -X ---- Note that though FreeRADIUS can run in FIPS mode, this does not mean that it is FIPS compliant as it uses weak ciphers and functions when in FIPS mode. For more information on configuring FreeRADIUS authentication in FIPS mode, see link:https://access.redhat.com/solutions/4650511[How to configure FreeRADIUS authentication in FIPS mode].
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 18:51:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1872689, 1884741    
Bug Blocks:    

Description Filip Dvorak 2021-05-10 14:17:19 UTC 
Description of problem:
The Freeradius (FR) is not FIPS compliant because it uses MD5 function. But in RHEL7 it was possible to use a workaround with the environment variable "OPENSSL_FIPS_NON_APPROVED_ALLOW=1" and configure FR authentication in FIPS [1] or use ipa-otp via RADIUS proxy in FIPS described here [2][3].

I have tried these scenarios (the second after the BZ#1872689 for krb5 was fixed [3]) on RHEL8.4 and they work without any workaround (env. variable "OPENSSL_FIPS_NON_APPROVED_ALLOW=1 is not supported on RHEL8). It means that it was possible to authenticate FR user on radiusd server in FIPS. In my opinion, it is not correct behavior because FR uses MD5 functions which are forbidden in FIPS and the customer, who enabled FIPS mode, expects that all these old and weak ciphers/functions are disabled in FIPS mode.

Because we want to support these scenarios [3 c#21] I would prefer the old behavior from RHEL7. The FR should NOT work in FIPS in RHEL8 but with the help of some env. variable or some extra option in FR (something similar to "radius_md5_fips_override=true" in krb5) the user could be authenticated on FR server in FIPS. 

[1] https://access.redhat.com/solutions/4650511
[2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#required-settings-for-configuring-radius-proxy-on-an-idm-server-running-in-fips-mode
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1872689

Version-Release number of selected component (if applicable):
RHEL-8.4.0
freeradius-3.0.20-3.module+el8.3.0+7597+67902674.x86_64
krb5-libs-1.18.2-7.el8.x86_64

Steps to Reproduce:
Scenario1 - https://access.redhat.com/solutions/4650511
Scenario2 - https://bugzilla.redhat.com/show_bug.cgi?id=1872689#c0

Actual results:
https://bugzilla.redhat.com/show_bug.cgi?id=1872689#c41

Expected results:
FR authentication should work in FIPS only with some workaround mentioned above.

Additional info:
The list of related documentation is here 
https://bugzilla.redhat.com/show_bug.cgi?id=1884741#c2
(This docu should be modified as soon as this bug is fixed)
Comment 19 errata-xmlrpc 2021-11-09 18:51:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (freeradius bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4317
Comment 23 lmcgarry 2022-02-10 14:31:03 UTC 
Hi Filip, 

Does this workaround and Known issue apply to RHEL 8.6 also? Thanks