Bug 2083699

Summary: Segfault due to FIPS restriction of MD5
Product: Red Hat Enterprise Linux 9 Reporter: Julien Rische <jrische>
Component: freeradiusAssignee: Antonio Torres <antorres>
Status: CLOSED ERRATA QA Contact: Filip Dvorak <fdvorak>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.1CC: fdvorak, nikolai.kondrashov
Target Milestone: rcKeywords: Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeradius-3.0.21-32.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-15 10:19:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2068458    

Description Julien Rische 2022-05-10 15:04:48 UTC 
FreeIPA's RADIUS OTP setup is causing a segmentation fault in FIPS mode:

Thread 2 "radiusd" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f531ea54640 (LWP 27144)]
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00007f5324c068d0 in rad_pwdecode (passwd=passwd@entry=0x7f531ea539f0 "Secret123456",
    pwlen=<optimized out>, pwlen@entry=16, secret=secret@entry=0x556361bf7cb0 "testing123",
    vector=vector@entry=0x556361d3fb58 "#&zb\375\253\206+\026!\217\371{\fdj#&zb") at src/lib/radius.c:4655
#2  0x00007f5324c0c281 in data2vp (ctx=ctx@entry=0x556361d3fb10, packet=packet@entry=0x556361d3fb10,
    original=original@entry=0x0, secret=<optimized out>, da=da@entry=0x5563619a3430,
    start=start@entry=0x556361d3fc44 "Secret123456", attrlen=16, packetlen=16, pvp=0x7f531ea53d10)
    at src/lib/radius.c:3887
#3  0x00007f5324c0cb1b in rad_attr2vp (ctx=ctx@entry=0x556361d3fb10, packet=packet@entry=0x556361d3fb10,
    original=original@entry=0x0, secret=secret@entry=0x556361bf7cb0 "testing123",
    data=data@entry=0x556361d3fc42 "\002\022Secret123456", length=length@entry=18, pvp=0x7f531ea53d10)
    at src/lib/radius.c:4327
#4  0x00007f5324c0f2e1 in rad_decode (packet=0x556361d3fb10, original=0x0, secret=0x556361bf7cb0 "testing123")
    at src/lib/radius.c:4492
#5  0x000055636076391d in request_pre_handler (action=1, action=1, request=0x556361d3fcc0)
    at src/main/process.c:1323
#6  request_running (request=0x556361d3fcc0, action=<optimized out>) at src/main/process.c:1616
#7  0x000055636075d282 in request_handler_thread (arg=0x556361d0bf00) at src/main/threads.c:826
#8  0x00007f53245a26ca in start_thread (arg=<optimized out>) at pthread_create.c:443
#9  0x00007f53245423f0 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

The test setup is described in bug 2068458. This seems to be caused by the current OpenSSL integration[1] relying on the "EVP_MD_CTX_FLAG_NON_FIPS_ALLOW" flag which has no effect any more[2]. The same error is probably occurring for MD4.

[1] https://gitlab.com/redhat/centos-stream/rpms/freeradius/-/blob/c9s/freeradius-Backport-OpenSSL3-fixes.patch#L483
[2] https://github.com/openssl/openssl/blob/openssl-3.0.3/include/openssl/evp.h#L208-L209
Comment 13 errata-xmlrpc 2022-11-15 10:19:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (freeradius bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8089