From 13dac80c6f89a88d3672bee117fc5cedd7f869d4 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Wed, 1 Apr 2026 15:30:40 +0800
Subject: [PATCH] freeradius: fix radiusd startup failure due to missing
 openssl legacy provider

Radiusd fails to start because the openssl legacy provider is no longer
built by default[1]:

$ radiusd -C -X
FreeRADIUS Version 3.2.8
[snip]
(TLS) Failed loading legacy provider

Add PACKAGECONFIG[legacy-openssl] to enable openssl legacy provider
support. When disabled, pass --enable-fips-workaround to configure
instead.

Backport two patches to fix the --enable-fips-workaround option.

[1] https://git.openembedded.org/openembedded-core/commit/?id=a150c3580f7f4962152444272c0fe07cfdb72df5

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
---
 ...y-provider-on-enable-fips-workaround.patch |  62 +++++++++++
 ...y-provider-on-enable-fips-workaround.patch | 104 ++++++++++++++++++
 .../freeradius/freeradius_3.2.8.bb            |   3 +
 3 files changed, 169 insertions(+)
 create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0001-don-t-load-legacy-provider-on-enable-fips-workaround.patch
 create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0002-don-t-load-legacy-provider-on-enable-fips-workaround.patch

diff --git a/meta-networking/recipes-connectivity/freeradius/files/0001-don-t-load-legacy-provider-on-enable-fips-workaround.patch b/meta-networking/recipes-connectivity/freeradius/files/0001-don-t-load-legacy-provider-on-enable-fips-workaround.patch
new file mode 100644
index 0000000000..594286cdcf
--- /dev/null
+++ b/meta-networking/recipes-connectivity/freeradius/files/0001-don-t-load-legacy-provider-on-enable-fips-workaround.patch
@@ -0,0 +1,62 @@
+From 2c2c6a460ae8cc655df83c8964595581389676c1 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Tue, 9 Sep 2025 07:03:21 -0400
+Subject: [PATCH] don't load legacy provider on --enable-fips-workaround. 
+ Fixes #5644
+
+Upstream-Status: Backport
+[https://github.com/FreeRADIUS/freeradius-server/commit/2c2c6a460ae8cc655df83c8964595581389676c1]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ src/main/tls.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index ba267983b1..c04f3228e4 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -64,8 +64,11 @@ USES_APPLE_DEPRECATED_API	/* OpenSSL API has been deprecated by Apple */
+ #  include <openssl/provider.h>
+ 
+ static OSSL_PROVIDER *openssl_default_provider = NULL;
++
++#ifndef WITH_FIPS
+ static OSSL_PROVIDER *openssl_legacy_provider = NULL;
+ #endif
++#endif
+ 
+ #define LOG_PREFIX "tls"
+ 
+@@ -3693,6 +3696,7 @@ int tls_global_init(TLS_UNUSED bool spawn_flag, TLS_UNUSED bool check)
+ 		return -1;
+ 	}
+ 
++#ifndef WITH_FIPS
+ 	/*
+ 	 *	Needed for MD4
+ 	 *
+@@ -3703,6 +3707,7 @@ int tls_global_init(TLS_UNUSED bool spawn_flag, TLS_UNUSED bool check)
+ 		ERROR("(TLS) Failed loading legacy provider");
+ 		return -1;
+ 	}
++#endif
+ #endif
+ 
+ 	return 0;
+@@ -3777,10 +3782,12 @@ void tls_global_cleanup(void)
+ 	}
+ 	openssl_default_provider = NULL;
+ 
++#ifndef WITH_FIPS
+ 	if (openssl_legacy_provider && !OSSL_PROVIDER_unload(openssl_legacy_provider)) {
+ 		ERROR("Failed unloading legacy provider");
+ 	}
+ 	openssl_legacy_provider = NULL;
++#endif
+ #endif
+ 
+ 	CONF_modules_unload(1);
+-- 
+2.43.0
+
diff --git a/meta-networking/recipes-connectivity/freeradius/files/0002-don-t-load-legacy-provider-on-enable-fips-workaround.patch b/meta-networking/recipes-connectivity/freeradius/files/0002-don-t-load-legacy-provider-on-enable-fips-workaround.patch
new file mode 100644
index 0000000000..84b78320c4
--- /dev/null
+++ b/meta-networking/recipes-connectivity/freeradius/files/0002-don-t-load-legacy-provider-on-enable-fips-workaround.patch
@@ -0,0 +1,104 @@
+From 2ff8eb44bb626e9e63f9bf06c3bcf3b34291c335 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Tue, 31 Mar 2026 07:45:16 -0400
+Subject: [PATCH] don't load legacy provider on --enable-fips-workaround. Fixes
+ #5775
+
+Upstream-Status: Backport
+[https://github.com/FreeRADIUS/freeradius-server/commit/2ff8eb44bb626e9e63f9bf06c3bcf3b34291c335]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ src/main/radclient.c                | 6 ++++++
+ src/modules/rlm_mschap/smbencrypt.c | 6 ++++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/src/main/radclient.c b/src/main/radclient.c
+index ea64486dcf..52555603e1 100644
+--- a/src/main/radclient.c
++++ b/src/main/radclient.c
+@@ -168,7 +168,9 @@ static int _rc_request_free(rc_request_t *request)
+ #  include <openssl/provider.h>
+ 
+ static OSSL_PROVIDER *openssl_default_provider = NULL;
++#ifndef WITH_FIPS
+ static OSSL_PROVIDER *openssl_legacy_provider = NULL;
++#endif
+ 
+ static int openssl3_init(void)
+ {
+@@ -181,6 +183,7 @@ static int openssl3_init(void)
+ 		return -1;
+ 	}
+ 
++#ifndef WITH_FIPS
+ 	/*
+ 	 *	Needed for MD4
+ 	 *
+@@ -191,6 +194,7 @@ static int openssl3_init(void)
+ 		ERROR("(TLS) Failed loading legacy provider");
+ 		return -1;
+ 	}
++#endif
+ 
+ 	return 0;
+ }
+@@ -202,10 +206,12 @@ static void openssl3_free(void)
+ 	}
+ 	openssl_default_provider = NULL;
+ 
++#ifndef WITH_FIPS
+ 	if (openssl_legacy_provider && !OSSL_PROVIDER_unload(openssl_legacy_provider)) {
+ 		ERROR("Failed unloading legacy provider");
+ 	}
+ 	openssl_legacy_provider = NULL;
++#endif
+ }
+ #else
+ #define openssl3_init()
+diff --git a/src/modules/rlm_mschap/smbencrypt.c b/src/modules/rlm_mschap/smbencrypt.c
+index 9a8a5ab777..531c40ec26 100644
+--- a/src/modules/rlm_mschap/smbencrypt.c
++++ b/src/modules/rlm_mschap/smbencrypt.c
+@@ -43,7 +43,9 @@ static char const hex[] = "0123456789ABCDEF";
+ #  include <openssl/provider.h>
+ 
+ static OSSL_PROVIDER *openssl_default_provider = NULL;
++#ifndef WITH_FIPS
+ static OSSL_PROVIDER *openssl_legacy_provider = NULL;
++#endif
+ 
+ #define ERROR(_x) fprintf(stderr, _x)
+ 
+@@ -58,6 +60,7 @@ static int openssl3_init(void)
+ 		return -1;
+ 	}
+ 
++#ifndef WITH_FIPS
+ 	/*
+ 	 *	Needed for MD4
+ 	 *
+@@ -68,6 +71,7 @@ static int openssl3_init(void)
+ 		ERROR("(TLS) Failed loading legacy provider");
+ 		return -1;
+ 	}
++#endif
+ 
+ 	return 0;
+ }
+@@ -79,10 +83,12 @@ static void openssl3_free(void)
+ 	}
+ 	openssl_default_provider = NULL;
+ 
++#ifndef WITH_FIPS
+ 	if (openssl_legacy_provider && !OSSL_PROVIDER_unload(openssl_legacy_provider)) {
+ 		ERROR("Failed unloading legacy provider");
+ 	}
+ 	openssl_legacy_provider = NULL;
++#endif
+ }
+ #else
+ #define openssl3_init()
+-- 
+2.43.0
+
diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.2.8.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.2.8.bb
index 9b05968638..4be127209b 100644
--- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.2.8.bb
+++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.2.8.bb
@@ -40,6 +40,8 @@ SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.2.x;lfs=0
     file://0018-update-license-1.patch \
     file://0019-update-license-2.patch \
     file://0020-update-license-3.patch \
+    file://0001-don-t-load-legacy-provider-on-enable-fips-workaround.patch \
+    file://0002-don-t-load-legacy-provider-on-enable-fips-workaround.patch \
 "
 
 raddbdir = "${sysconfdir}/${MLPREFIX}raddb"
@@ -114,6 +116,7 @@ PACKAGECONFIG[openssl] = "--with-openssl, --without-openssl"
 PACKAGECONFIG[rlm-eap-fast] = "--with-rlm_eap_fast, --without-rlm_eap_fast"
 PACKAGECONFIG[rlm-eap-pwd] = "--with-rlm_eap_pwd, --without-rlm_eap_pwd"
 PACKAGECONFIG[kafka] = "--with-rlm_kafka, --without-rlm_kafka, librdkafka"
+PACKAGECONFIG[legacy-openssl] = ",--enable-fips-workaround,,openssl-ossl-module-legacy"
 
 inherit useradd autotools-brokensep update-rc.d systemd multilib_script multilib_header