1958979 – Freeradius works in FIPS although it uses MD5

Bug 1958979 - Freeradius works in FIPS although it uses MD5

Summary: Freeradius works in FIPS although it uses MD5

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	freeradius
Sub Component:
Version:	8.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	beta
Target Release:	---
Assignee:	Antonio Torres
QA Contact:	Filip Dvorak
Docs Contact:	lmcgarry
URL:
Whiteboard:
Depends On:	1872689 1884741
Blocks:
TreeView+	depends on / blocked

Reported:	2021-05-10 14:17 UTC by Filip Dvorak
Modified:	2023-01-31 11:56 UTC (History)
CC List:	6 users (show)
Fixed In Version:	freeradius-3.0.20-7.module+el8.5.0+11913+a0aa3fd3
Doc Type:	If docs needed, set a value
Doc Text:	.FreeRADIUS server fails to run in FIPS mode By default, in FIPS mode, OpenSSL disables the use of the MD5 digest algorithm. As the RADIUS protocol requires MD5 to encrypt a secret between the RADIUS client and the RADIUS server, this causes the FreeRADIUS server to fail in FIPS mode. To work around this problem, follow these steps: .Procedure . Create the environment variable, `RADIUS_MD5_FIPS_OVERRIDE` for the `radiusd` service: + [subs="quotes"] ---- systemctl edit radiusd [Service] Environment=RADIUS_MD5_FIPS_OVERRIDE=1 ---- . To apply the change, reload the `systemd` configuration and start the `radiusd` service: + [subs="quotes"] ---- # systemctl daemon-reload # systemctl start radiusd ---- . To run FreeRADIUS in debug mode: + [subs="quotes"] ---- # RADIUS_MD5_FIPS_OVERRIDE=1 radiusd -X ---- Note that though FreeRADIUS can run in FIPS mode, this does not mean that it is FIPS compliant as it uses weak ciphers and functions when in FIPS mode. For more information on configuring FreeRADIUS authentication in FIPS mode, see link:https://access.redhat.com/solutions/4650511[How to configure FreeRADIUS authentication in FIPS mode].
Clone Of:
Environment:
Last Closed:	2021-11-09 18:51:07 UTC
Type:	Bug
Target Upstream Version:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-7298	0	None	None	None	2021-11-09 18:57:43 UTC
Red Hat Product Errata	RHBA-2021:4317	0	None	None	None	2021-11-09 18:51:12 UTC

Description Filip Dvorak 2021-05-10 14:17:19 UTC

Description of problem:
The Freeradius (FR) is not FIPS compliant because it uses MD5 function. But in RHEL7 it was possible to use a workaround with the environment variable "OPENSSL_FIPS_NON_APPROVED_ALLOW=1" and configure FR authentication in FIPS [1] or use ipa-otp via RADIUS proxy in FIPS described here [2][3].

I have tried these scenarios (the second after the BZ#1872689 for krb5 was fixed [3]) on RHEL8.4 and they work without any workaround (env. variable "OPENSSL_FIPS_NON_APPROVED_ALLOW=1 is not supported on RHEL8). It means that it was possible to authenticate FR user on radiusd server in FIPS. In my opinion, it is not correct behavior because FR uses MD5 functions which are forbidden in FIPS and the customer, who enabled FIPS mode, expects that all these old and weak ciphers/functions are disabled in FIPS mode.

Because we want to support these scenarios [3 c#21] I would prefer the old behavior from RHEL7. The FR should NOT work in FIPS in RHEL8 but with the help of some env. variable or some extra option in FR (something similar to "radius_md5_fips_override=true" in krb5) the user could be authenticated on FR server in FIPS. 

[1] https://access.redhat.com/solutions/4650511
[2] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#required-settings-for-configuring-radius-proxy-on-an-idm-server-running-in-fips-mode
[3] https://bugzilla.redhat.com/show_bug.cgi?id=1872689

Version-Release number of selected component (if applicable):
RHEL-8.4.0
freeradius-3.0.20-3.module+el8.3.0+7597+67902674.x86_64
krb5-libs-1.18.2-7.el8.x86_64

Steps to Reproduce:
Scenario1 - https://access.redhat.com/solutions/4650511
Scenario2 - https://bugzilla.redhat.com/show_bug.cgi?id=1872689#c0

Actual results:
https://bugzilla.redhat.com/show_bug.cgi?id=1872689#c41

Expected results:
FR authentication should work in FIPS only with some workaround mentioned above.

Additional info:
The list of related documentation is here 
https://bugzilla.redhat.com/show_bug.cgi?id=1884741#c2
(This docu should be modified as soon as this bug is fixed)

Comment 19 errata-xmlrpc 2021-11-09 18:51:07 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (freeradius bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4317

Comment 23 lmcgarry 2022-02-10 14:31:03 UTC

Hi Filip, 

Does this workaround and Known issue apply to RHEL 8.6 also? Thanks

Note You need to log in before you can comment on or make changes to this bug.