Skip to content

Commit

Permalink
Make Openssl CMAC API (omac1_aes_vector) Availalable in Non FIPs Mode (
Browse files Browse the repository at this point in the history 
…#85)

Wpa_supplicant OpenSSL CMAC wrapper API (omac1_aes_vector) is only available when FIPs is enabled for build. Which should not be the case. Openssl CMAC wrapper API should also be available under non FIPS mode. When wpa-supplicant is referencing to use openssl, openssl CMAC should be triggered instead of wpa internal one.

The fix is mostly taking from hostap with those changes already:
https://w1.fi/cgit/hostap/commit/src/crypto?id=ae0f6ee97ed4924189f2cd68548d2a971f17d67e https://w1.fi/cgit/hostap/commit/wpa_supplicant/Makefile?id=ae0f6ee97ed4924189f2cd68548d2a971f17d67e

Testing has been done with the changes with FIPS and non FIPS mode by running sonic macsec testing suite. It's observed in all scenario openssl CMAC API is triggered.
  • Loading branch information
@wumiaont
wumiaont authored Mar 23, 2024
1 parent 13e6f11 commit 3c7fd8e
Show file tree
Hide file tree
Showing 3 changed files with 5 additions and 8 deletions.
2 changes: 2 additions & 0 deletions hostapd/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -919,11 +919,13 @@ endif
ifdef NEED_AES_ENCBLOCK
AESOBJS += ../src/crypto/aes-encblock.o
endif
ifneq ($(CONFIG_TLS), openssl)
ifneq ($(CONFIG_TLS), linux)
ifneq ($(CONFIG_TLS), wolfssl)
AESOBJS += ../src/crypto/aes-omac1.o
endif
endif
endif
ifdef NEED_AES_UNWRAP
ifneq ($(CONFIG_TLS), openssl)
ifneq ($(CONFIG_TLS), linux)
Expand Down
6 changes: 2 additions & 4 deletions src/crypto/crypto_openssl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,9 @@
#include <openssl/dh.h>
#include <openssl/hmac.h>
#include <openssl/rand.h>
#ifdef CONFIG_OPENSSL_CMAC
#if OPENSSL_VERSION_NUMBER < 0x30000000L
#include <openssl/cmac.h>
#endif /* CONFIG_OPENSSL_CMAC */
#endif /* OpenSSL version < 3.0 */
#ifdef CONFIG_ECC
#include <openssl/ec.h>
#include <openssl/x509.h>
Expand Down Expand Up @@ -1214,7 +1214,6 @@ int crypto_get_random(void *buf, size_t len)
}


#ifdef CONFIG_OPENSSL_CMAC
int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem,
const u8 *addr[], const size_t *len, u8 *mac)
{
Expand Down Expand Up @@ -1308,7 +1307,6 @@ int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
{
return omac1_aes_vector(key, 32, 1, &data, &data_len, mac);
}
#endif /* CONFIG_OPENSSL_CMAC */


struct crypto_bignum * crypto_bignum_init(void)
Expand Down
5 changes: 1 addition & 4 deletions wpa_supplicant/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,6 @@ endif

ifdef CONFIG_FIPS
CONFIG_NO_RANDOM_POOL=
CONFIG_OPENSSL_CMAC=y
endif

OBJS = config.o
Expand Down Expand Up @@ -1330,9 +1329,7 @@ ifdef NEED_AES_ENCBLOCK
AESOBJS += ../src/crypto/aes-encblock.o
endif
NEED_AES_ENC=y
ifdef CONFIG_OPENSSL_CMAC
CFLAGS += -DCONFIG_OPENSSL_CMAC
else
ifneq ($(CONFIG_TLS), openssl)
ifneq ($(CONFIG_TLS), linux)
ifneq ($(CONFIG_TLS), wolfssl)
AESOBJS += ../src/crypto/aes-omac1.o
Expand Down

0 comments on commit 3c7fd8e

Please sign in to comment.