Bug 1859527 - freeradius can't generate dhparams with OpenSSL in FIPS
Summary: freeradius can't generate dhparams with OpenSSL in FIPS
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: freeradius
Version: 8.3
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: 8.0
Assignee: Alex Scheel
QA Contact: Filip Dvorak
lmcgarry
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-22 10:38 UTC by Ondrej Moriš
Modified: 2020-11-04 03:58 UTC (History)
7 users (show)

Fixed In Version: freeradius-3.0-8030020200806223029.1e4bbb35
Doc Type: Bug Fix
Doc Text:
.FreeRADIUS now generates FIPS-compliant Diffie-Hellman parameters Due to new FIPS requirements that do not allow `openssl` to generate Diffie-Hellman (dh) parameters via `dhparam`, the dh parameter generation has been removed from the FreeRADIUS bootstrap scripts and the file, `rfc3526-group-18-8192.dhparam`, is included with the FreeRADIUS packages for all systems, and thus enables FreeRADIUS to start in FIPS mode. Note that you can customize `/etc/raddb/certs/bootstrap` and `/etc/raddb/certs/Makefile` to restore the DH parameter generation if required.
Clone Of:
Environment:
Last Closed: 2020-11-04 03:58:12 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4799 0 None None None 2020-11-04 03:58:21 UTC

Description Ondrej Moriš 2020-07-22 10:38:58 UTC
Description of problem:

During its postinstall scripts freeradius generates keys in /etc/raddb/certs. 

# rpm -q freeradius --scripts
...
if [ $1 -eq 1 ]; then           # install
  # Initial installation
  if [ ! -e /etc/raddb/certs/server.pem ]; then
    /sbin/runuser -g radiusd -c 'umask 007; /etc/raddb/certs/bootstrap' > /dev/null 2>&1
  fi
fi
...

However, in FIPS mode this generation fails and no keys are created. This is caused by not being able to generate DH params:

# cat  /etc/raddb/certs/bootstrap
...
if [ ! -e dh ]; then
  openssl dhparam -out dh 2048 || exit 1
  ln -sf /dev/urandom random
fi
...

In RHEL-8.3 openssl doesn't allow dhparam generation (see BZ#1810911 and BZ#1855822) in FIPS mode because of new requirements for the standard. Execution of openssl command fails and bootstrap script exits. No keys are created and radiusd won't start without them:

# ls /etc/raddb/certs/
bootstrap  ca.cnf  client.cnf  dh  inner-server.cnf  Makefile  passwords.mk  README  server.cnf  xpextensions

# systemctl start radiusd
Job for radiusd.service failed because the control process exited with error code.
See "systemctl status radiusd.service" and "journalctl -xe" for details.

# cat /var/log/radius/radius.log 
Wed Jul 22 06:33:26 2020 : Info: Debugger not attached
Wed Jul 22 06:33:26 2020 : Error: Unable to check file "/etc/raddb/certs/server.pem": No such file or directory
Wed Jul 22 06:33:26 2020 : Error: /etc/raddb/mods-enabled/eap[183]: Failed parsing configuration item "private_key_file"
Wed Jul 22 06:33:26 2020 : Error: rlm_eap_tls: Failed initializing SSL context
Wed Jul 22 06:33:26 2020 : Error: rlm_eap (EAP): Failed to initialise rlm_eap_tls
Wed Jul 22 06:33:26 2020 : Error: /etc/raddb/mods-enabled/eap[14]: Instantiation failed for module "eap"


Version-Release number of selected component (if applicable):

freeradius-3.0.20-1.module+el8.3.0+6967+0ef5980f
openssl-1.1.1g-9.el8

How reproducible:

100% in FIPS mode

Steps to Reproduce:

1. Make sure freeradius is not installed and /etc/raddb does not exist.
2. Enable FIPS mode.
2. Install freeradius.
3. Inspect /etc/raddb/certs and start radiusd.

Actual results:

No keys are created and service fails to start.

Expected results:

Keys for CA, server and client are created and services starts.

Additional info:

1. File with dhparams (dh) is never used in bootstrap script, can its generation be removed? Keys will be generated successfully without it.

2. In RHEL-8.2 dhparam file can be generated even in FIPS and hence this issue is new in 8.3.

Comment 1 Alex Scheel 2020-07-22 11:13:26 UTC

*** This bug has been marked as a duplicate of bug 1857230 ***

Comment 2 Alex Scheel 2020-07-22 11:51:34 UTC
Per discussion with Ondrej on IRC, this isn't a duplicate. Clarifying subject.

Comment 4 Alex Scheel 2020-08-07 16:49:33 UTC
Filip,

Still looking for qa_ack+ so we can attach it to the errata.

Comment 30 errata-xmlrpc 2020-11-04 03:58:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: freeradius:3.0 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4799


Note You need to log in before you can comment on or make changes to this bug.