[defect]: Unable to start FreeRadius server due to missing OpenSSL legacy provider

[MatejVavkanEricsson]

What type of defect/bug is this?

Unexpected behaviour (obvious or verified by project member)

How can the issue be reproduced?

The issue can be seen when FreeRadius is started with OpenSSL v3.2.4 that is build without enabled legacy provider.

Due to security reasons we are unable to include legacy provider in our build of OpenSSL library.
So we wanted to ask if there is a way of resolving this issue.

From our perspective the best way to resolve this issue is to have a build/run option to skip this check:
/* * Needed for MD4 * * https://www.openssl.org/docs/man3.0/man7/migration_guide.html#Legacy-Algorithms */ openssl_legacy_provider = OSSL_PROVIDER_load(NULL, "legacy"); if (!openssl_legacy_provider) { ERROR("(TLS) Failed loading legacy provider"); return -1; }

Since we are using only EAP-TLS for authentication we wanted to raise a question if there is even a need to have this MD4 algorithm available?
We are willing to contribute in creating a patch based on your approved solution.

Best regards.

Log output from the FreeRADIUS daemon

FreeRADIUS Version 3.2.7
Copyright (C) 1999-2023 The FreeRADIUS server project and contributors
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License
For more information about these matters, see the file named COPYRIGHT
(TLS) Failed loading legacy provider

Relevant log output from client utilities

No response

Backtrace from LLDB or GDB

[alandekok]

You need the legacy provider to do MD5. RADIUS needs MD5. There is a build flag to fix this.

You will need to re-build FreeRADIUS with ./configure --enable-fips-workaround in order to enable the local MD5 code.

[MatejVavkanEricsson]

Hi @alandekok ,
thanks for the fast reply.

We have tried this, but the same issue occurs.
I'm guessing "--enable-fips-workaround" does not skip this checker:

openssl_legacy_provider = OSSL_PROVIDER_load(NULL, "legacy");
if (!openssl_legacy_provider) {
ERROR("(TLS) Failed loading legacy provider");
return -1;
}

But rather it does the MD5 sum calculation locally in FreeRadius.

Is there a way to have this flag enabled so to use MD5 locally and not to have legacy provider in OpenSSL?

[alandekok]

I've pushed a fix. You can test it by downloading the latest code and re-building.

[MatejVavkanEricsson]

Hi @alandekok ,

the fix works, thanks for the quick turnaround.
But I have one question, We are currently using version 3.2.7, will this fix be available also on that version or will it be a part of new version, maybe 3.2.9 and if it will when will new version be available?

BRs.

[alandekok]

We do not backport patches. You will need to use the code from git, or 3.2.9 when that becomes available.

[pperisin]

Just maybe additional comment. to compile with fips workaround you need to also --enable-developer. I am not sure if this is expected.

Maybe suggestion to allow to --enable-fips-workaround flage to have impact even if --disable-developer option is set

[alandekok]

I don't see it as needing --enable-developer. Where do you see that limitation?

[pperisin]

In configure.ac fips is only used on lines 1972 and 1975. However this is in a enable-developer block that goes from line 1954 to line 2071