Disable FIPS mode when RADIUS is being used
Alan DeKok
aland at deployingradius.com
Mon Feb 24 13:45:10 PST 2025
OpenSSL can operate in FIPS mode, where this is a configuration flag, and not a build requirement. Applications like RADIUS need to disable FIPS, otherwise the Response Authenticator and Message-Authenticator won't be calculated correctly.
OpenSSL will not return an error when asked to do MD4 / MD5 calculations. It will just silently do the wrong thing. For an example FreeRADIUS / eapol_test output, see:
https://lists.freeradius.org/pipermail/freeradius-users/2025-February/105332.html
I've attached two patches.
One patch adds a fips_disable() function to src/crypto/crypto*.c. The OpenSSL one tries to disable FIPS, and returns an error if it cannot. The other crypto*.c files have an empty function defined, which always succeeds.
The second patch makes the RADIUS client and server call the new fips_disable() function.
Alan DeKok.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-function-to-disable-FIPS-mode.patch
Type: application/octet-stream
Size: 4133 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20250224/f1722fdf/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-Disable-FIPS-when-initializing-RADIUS-client-or-serv.patch
Type: application/octet-stream
Size: 1584 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20250224/f1722fdf/attachment-0001.obj>
More information about the Hostap
mailing list