3 files changed, 169 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-don-t-load-legacy-provider-on-enable-fips-workaround.patch b/meta-networking/recipes-connectivity/freeradius/files/0001-don-t-load-legacy-provider-on-enable-fips-workaround.patch
new file mode 100644
index 0000000000..594286cdcf
--- /dev/null
+++ b/meta-networking/recipes-connectivity/freeradius/files/0001-don-t-load-legacy-provider-on-enable-fips-workaround.patch
@@ -0,0 +1,62 @@
+From 2c2c6a460ae8cc655df83c8964595581389676c1 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Tue, 9 Sep 2025 07:03:21 -0400
+Subject: [PATCH] don't load legacy provider on --enable-fips-workaround. 
+ Fixes #5644
+Upstream-Status: Backport
+[https://github.com/FreeRADIUS/freeradius-server/commit/2c2c6a460ae8cc655df83c8964595581389676c1]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ src/main/tls.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+diff --git a/src/main/tls.c b/src/main/tls.c
+index ba267983b1..c04f3228e4 100644
+--- a/src/main/tls.c
+++ b/src/main/tls.c
+@@ -64,8 +64,11 @@ USES_APPLE_DEPRECATED_API    /* OpenSSL API has been deprecated by Apple */
+ #  include <openssl/provider.h>
+ 
+ static OSSL_PROVIDER *openssl_default_provider = NULL;
+
+#ifndef WITH_FIPS
+ static OSSL_PROVIDER *openssl_legacy_provider = NULL;
+ #endif
+#endif
+ 
+ #define LOG_PREFIX "tls"
+ 
+@@ -3693,6 +3696,7 @@ int tls_global_init(TLS_UNUSED bool spawn_flag, TLS_UNUSED bool check)
+                return -1;
+        }
+ 
+#ifndef WITH_FIPS
+        /*
+         *      Needed for MD4
+         *
+@@ -3703,6 +3707,7 @@ int tls_global_init(TLS_UNUSED bool spawn_flag, TLS_UNUSED bool check)
+                ERROR("(TLS) Failed loading legacy provider");
+                return -1;
+        }
+#endif
+ #endif
+ 
+        return 0;
+@@ -3777,10 +3782,12 @@ void tls_global_cleanup(void)
+        }
+        openssl_default_provider = NULL;
+ 
+#ifndef WITH_FIPS
+        if (openssl_legacy_provider && !OSSL_PROVIDER_unload(openssl_legacy_provider)) {
+                ERROR("Failed unloading legacy provider");
+        }
+        openssl_legacy_provider = NULL;
+#endif
+ #endif
+ 
+        CONF_modules_unload(1);
+-- 
+2.43.0
diff --git a/meta-networking/recipes-connectivity/freeradius/files/0002-don-t-load-legacy-provider-on-enable-fips-workaround.patch b/meta-networking/recipes-connectivity/freeradius/files/0002-don-t-load-legacy-provider-on-enable-fips-workaround.patch
new file mode 100644
index 0000000000..84b78320c4
--- /dev/null
+++ b/meta-networking/recipes-connectivity/freeradius/files/0002-don-t-load-legacy-provider-on-enable-fips-workaround.patch
@@ -0,0 +1,104 @@
+From 2ff8eb44bb626e9e63f9bf06c3bcf3b34291c335 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Tue, 31 Mar 2026 07:45:16 -0400
+Subject: [PATCH] don't load legacy provider on --enable-fips-workaround. Fixes
+ #5775
+Upstream-Status: Backport
+[https://github.com/FreeRADIUS/freeradius-server/commit/2ff8eb44bb626e9e63f9bf06c3bcf3b34291c335]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ src/main/radclient.c                | 6 ++++++
+ src/modules/rlm_mschap/smbencrypt.c | 6 ++++++
+ 2 files changed, 12 insertions(+)
+diff --git a/src/main/radclient.c b/src/main/radclient.c
+index ea64486dcf..52555603e1 100644
+--- a/src/main/radclient.c
+++ b/src/main/radclient.c
+@@ -168,7 +168,9 @@ static int _rc_request_free(rc_request_t *request)
+ #  include <openssl/provider.h>
+ 
+ static OSSL_PROVIDER *openssl_default_provider = NULL;
+#ifndef WITH_FIPS
+ static OSSL_PROVIDER *openssl_legacy_provider = NULL;
+#endif
+ 
+ static int openssl3_init(void)
+ {
+@@ -181,6 +183,7 @@ static int openssl3_init(void)
+                return -1;
+        }
+ 
+#ifndef WITH_FIPS
+        /*
+         *      Needed for MD4
+         *
+@@ -191,6 +194,7 @@ static int openssl3_init(void)
+                ERROR("(TLS) Failed loading legacy provider");
+                return -1;
+        }
+#endif
+ 
+        return 0;
+ }
+@@ -202,10 +206,12 @@ static void openssl3_free(void)
+        }
+        openssl_default_provider = NULL;
+ 
+#ifndef WITH_FIPS
+        if (openssl_legacy_provider && !OSSL_PROVIDER_unload(openssl_legacy_provider)) {
+                ERROR("Failed unloading legacy provider");
+        }
+        openssl_legacy_provider = NULL;
+#endif
+ }
+ #else
+ #define openssl3_init()
+diff --git a/src/modules/rlm_mschap/smbencrypt.c b/src/modules/rlm_mschap/smbencrypt.c
+index 9a8a5ab777..531c40ec26 100644
+--- a/src/modules/rlm_mschap/smbencrypt.c
+++ b/src/modules/rlm_mschap/smbencrypt.c
+@@ -43,7 +43,9 @@ static char const hex[] = "0123456789ABCDEF";
+ #  include <openssl/provider.h>
+ 
+ static OSSL_PROVIDER *openssl_default_provider = NULL;
+#ifndef WITH_FIPS
+ static OSSL_PROVIDER *openssl_legacy_provider = NULL;
+#endif
+ 
+ #define ERROR(_x) fprintf(stderr, _x)
+ 
+@@ -58,6 +60,7 @@ static int openssl3_init(void)
+                return -1;
+        }
+ 
+#ifndef WITH_FIPS
+        /*
+         *      Needed for MD4
+         *
+@@ -68,6 +71,7 @@ static int openssl3_init(void)
+                ERROR("(TLS) Failed loading legacy provider");
+                return -1;
+        }
+#endif
+ 
+        return 0;
+ }
+@@ -79,10 +83,12 @@ static void openssl3_free(void)
+        }
+        openssl_default_provider = NULL;
+ 
+#ifndef WITH_FIPS
+        if (openssl_legacy_provider && !OSSL_PROVIDER_unload(openssl_legacy_provider)) {
+                ERROR("Failed unloading legacy provider");
+        }
+        openssl_legacy_provider = NULL;
+#endif
+ }
+ #else
+ #define openssl3_init()
+-- 
+2.43.0
diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.2.8.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.2.8.bb
index 9b05968638..4be127209b 100644
--- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.2.8.bb
+++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.2.8.bb
@@ -40,6 +40,8 @@ SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.2.x;lfs=0
    file://0018-update-license-1.patch \
    file://0019-update-license-2.patch \
    file://0020-update-license-3.patch \
+    file://0001-don-t-load-legacy-provider-on-enable-fips-workaround.patch \
+    file://0002-don-t-load-legacy-provider-on-enable-fips-workaround.patch \
 "
 raddbdir = "${sysconfdir}/${MLPREFIX}raddb"
@@ -114,6 +116,7 @@ PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl"
 PACKAGECONFIG[rlm-eap-fast] = "--with-rlm_eap_fast, --without-rlm_eap_fast"
 PACKAGECONFIG[rlm-eap-pwd] = "--with-rlm_eap_pwd, --without-rlm_eap_pwd"
 PACKAGECONFIG[kafka] = "--with-rlm_kafka, --without-rlm_kafka, librdkafka"
+PACKAGECONFIG[legacy-openssl] = ",--enable-fips-workaround,,openssl-ossl-module-legacy"
 inherit useradd autotools-brokensep update-rc.d systemd multilib_script multilib_header

diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-don-t-load-legacy-provider-on-enable-fips-workaround.patch b/meta-networking/recipes-connectivity/freeradius/files/0001-don-t-load-legacy-provider-on-enable-fips-workaround.patch new file mode 100644 index 0000000000..594286cdcf --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/0001-don-t-load-legacy-provider-on-enable-fips-workaround.patch
@@ -0,0 +1,62 @@
		1	From 2c2c6a460ae8cc655df83c8964595581389676c1 Mon Sep 17 00:00:00 2001
		2	From: "Alan T. DeKok" <aland@freeradius.org>
		3	Date: Tue, 9 Sep 2025 07:03:21 -0400
		4	Subject: [PATCH] don't load legacy provider on --enable-fips-workaround.
		5	Fixes #5644
		6
		7	Upstream-Status: Backport
		8	[https://github.com/FreeRADIUS/freeradius-server/commit/2c2c6a460ae8cc655df83c8964595581389676c1]
		9
		10	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		11	---
		12	src/main/tls.c \| 7 +++++++
		13	1 file changed, 7 insertions(+)
		14
		15	diff --git a/src/main/tls.c b/src/main/tls.c
		16	index ba267983b1..c04f3228e4 100644
		17	--- a/src/main/tls.c
		18	+++ b/src/main/tls.c
		19	@@ -64,8 +64,11 @@ USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
		20	# include <openssl/provider.h>
		21
		22	static OSSL_PROVIDER *openssl_default_provider = NULL;
		23	+
		24	+#ifndef WITH_FIPS
		25	static OSSL_PROVIDER *openssl_legacy_provider = NULL;
		26	#endif
		27	+#endif
		28
		29	#define LOG_PREFIX "tls"
		30
		31	@@ -3693,6 +3696,7 @@ int tls_global_init(TLS_UNUSED bool spawn_flag, TLS_UNUSED bool check)
		32	return -1;
		33	}
		34
		35	+#ifndef WITH_FIPS
		36	/*
		37	* Needed for MD4
		38	*
		39	@@ -3703,6 +3707,7 @@ int tls_global_init(TLS_UNUSED bool spawn_flag, TLS_UNUSED bool check)
		40	ERROR("(TLS) Failed loading legacy provider");
		41	return -1;
		42	}
		43	+#endif
		44	#endif
		45
		46	return 0;
		47	@@ -3777,10 +3782,12 @@ void tls_global_cleanup(void)
		48	}
		49	openssl_default_provider = NULL;
		50
		51	+#ifndef WITH_FIPS
		52	if (openssl_legacy_provider && !OSSL_PROVIDER_unload(openssl_legacy_provider)) {
		53	ERROR("Failed unloading legacy provider");
		54	}
		55	openssl_legacy_provider = NULL;
		56	+#endif
		57	#endif
		58
		59	CONF_modules_unload(1);
		60	--
		61	2.43.0
		62


diff --git a/meta-networking/recipes-connectivity/freeradius/files/0002-don-t-load-legacy-provider-on-enable-fips-workaround.patch b/meta-networking/recipes-connectivity/freeradius/files/0002-don-t-load-legacy-provider-on-enable-fips-workaround.patch new file mode 100644 index 0000000000..84b78320c4 --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/0002-don-t-load-legacy-provider-on-enable-fips-workaround.patch
@@ -0,0 +1,104 @@
		1	From 2ff8eb44bb626e9e63f9bf06c3bcf3b34291c335 Mon Sep 17 00:00:00 2001
		2	From: Yi Zhao <yi.zhao@windriver.com>
		3	Date: Tue, 31 Mar 2026 07:45:16 -0400
		4	Subject: [PATCH] don't load legacy provider on --enable-fips-workaround. Fixes
		5	#5775
		6
		7	Upstream-Status: Backport
		8	[https://github.com/FreeRADIUS/freeradius-server/commit/2ff8eb44bb626e9e63f9bf06c3bcf3b34291c335]
		9
		10	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		11	---
		12	src/main/radclient.c \| 6 ++++++
		13	src/modules/rlm_mschap/smbencrypt.c \| 6 ++++++
		14	2 files changed, 12 insertions(+)
		15
		16	diff --git a/src/main/radclient.c b/src/main/radclient.c
		17	index ea64486dcf..52555603e1 100644
		18	--- a/src/main/radclient.c
		19	+++ b/src/main/radclient.c
		20	@@ -168,7 +168,9 @@ static int _rc_request_free(rc_request_t *request)
		21	# include <openssl/provider.h>
		22
		23	static OSSL_PROVIDER *openssl_default_provider = NULL;
		24	+#ifndef WITH_FIPS
		25	static OSSL_PROVIDER *openssl_legacy_provider = NULL;
		26	+#endif
		27
		28	static int openssl3_init(void)
		29	{
		30	@@ -181,6 +183,7 @@ static int openssl3_init(void)
		31	return -1;
		32	}
		33
		34	+#ifndef WITH_FIPS
		35	/*
		36	* Needed for MD4
		37	*
		38	@@ -191,6 +194,7 @@ static int openssl3_init(void)
		39	ERROR("(TLS) Failed loading legacy provider");
		40	return -1;
		41	}
		42	+#endif
		43
		44	return 0;
		45	}
		46	@@ -202,10 +206,12 @@ static void openssl3_free(void)
		47	}
		48	openssl_default_provider = NULL;
		49
		50	+#ifndef WITH_FIPS
		51	if (openssl_legacy_provider && !OSSL_PROVIDER_unload(openssl_legacy_provider)) {
		52	ERROR("Failed unloading legacy provider");
		53	}
		54	openssl_legacy_provider = NULL;
		55	+#endif
		56	}
		57	#else
		58	#define openssl3_init()
		59	diff --git a/src/modules/rlm_mschap/smbencrypt.c b/src/modules/rlm_mschap/smbencrypt.c
		60	index 9a8a5ab777..531c40ec26 100644
		61	--- a/src/modules/rlm_mschap/smbencrypt.c
		62	+++ b/src/modules/rlm_mschap/smbencrypt.c
		63	@@ -43,7 +43,9 @@ static char const hex[] = "0123456789ABCDEF";
		64	# include <openssl/provider.h>
		65
		66	static OSSL_PROVIDER *openssl_default_provider = NULL;
		67	+#ifndef WITH_FIPS
		68	static OSSL_PROVIDER *openssl_legacy_provider = NULL;
		69	+#endif
		70
		71	#define ERROR(_x) fprintf(stderr, _x)
		72
		73	@@ -58,6 +60,7 @@ static int openssl3_init(void)
		74	return -1;
		75	}
		76
		77	+#ifndef WITH_FIPS
		78	/*
		79	* Needed for MD4
		80	*
		81	@@ -68,6 +71,7 @@ static int openssl3_init(void)
		82	ERROR("(TLS) Failed loading legacy provider");
		83	return -1;
		84	}
		85	+#endif
		86
		87	return 0;
		88	}
		89	@@ -79,10 +83,12 @@ static void openssl3_free(void)
		90	}
		91	openssl_default_provider = NULL;
		92
		93	+#ifndef WITH_FIPS
		94	if (openssl_legacy_provider && !OSSL_PROVIDER_unload(openssl_legacy_provider)) {
		95	ERROR("Failed unloading legacy provider");
		96	}
		97	openssl_legacy_provider = NULL;
		98	+#endif
		99	}
		100	#else
		101	#define openssl3_init()
		102	--
		103	2.43.0
		104


diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.2.8.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.2.8.bb index 9b05968638..4be127209b 100644 --- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.2.8.bb +++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.2.8.bb
@@ -40,6 +40,8 @@ SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.2.x;lfs=0
40	file://0018-update-license-1.patch \	40	file://0018-update-license-1.patch \
41	file://0019-update-license-2.patch \	41	file://0019-update-license-2.patch \
42	file://0020-update-license-3.patch \	42	file://0020-update-license-3.patch \
		43	file://0001-don-t-load-legacy-provider-on-enable-fips-workaround.patch \
		44	file://0002-don-t-load-legacy-provider-on-enable-fips-workaround.patch \
43	"	45	"
44		46
45	raddbdir = "${sysconfdir}/${MLPREFIX}raddb"	47	raddbdir = "${sysconfdir}/${MLPREFIX}raddb"
@@ -114,6 +116,7 @@ PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl"
114	PACKAGECONFIG[rlm-eap-fast] = "--with-rlm_eap_fast, --without-rlm_eap_fast"	116	PACKAGECONFIG[rlm-eap-fast] = "--with-rlm_eap_fast, --without-rlm_eap_fast"
115	PACKAGECONFIG[rlm-eap-pwd] = "--with-rlm_eap_pwd, --without-rlm_eap_pwd"	117	PACKAGECONFIG[rlm-eap-pwd] = "--with-rlm_eap_pwd, --without-rlm_eap_pwd"
116	PACKAGECONFIG[kafka] = "--with-rlm_kafka, --without-rlm_kafka, librdkafka"	118	PACKAGECONFIG[kafka] = "--with-rlm_kafka, --without-rlm_kafka, librdkafka"
		119	PACKAGECONFIG[legacy-openssl] = ",--enable-fips-workaround,,openssl-ossl-module-legacy"
117		120
118	inherit useradd autotools-brokensep update-rc.d systemd multilib_script multilib_header	121	inherit useradd autotools-brokensep update-rc.d systemd multilib_script multilib_header
119		122