RSN: Do not include RC4 use in FIPS builds

CONFIG_NO_RC4=y could have been used to remove this functionality, but
it might as well be done automatically based on CONFIG_FIPS=y as well.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/ap/wpa_auth.c b/src/ap/wpa_auth.c
index da1ff377dd6e708cbc60224d6392e79e39ee9f07..3d0f6ff6b9f7876444af12a87d0f8eb2ec157e01 100644 (file)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
@@ -1667,7 +1667,7 @@ void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
                                    "RSN: Encrypted Key Data from AES-WRAP",
                                    key_data, key_data_len);
                        WPA_PUT_BE16(key_mic + mic_len, key_data_len);
-#ifndef CONFIG_NO_RC4
+#if !defined(CONFIG_NO_RC4) && !defined(CONFIG_FIPS)
                } else if (sm->PTK.kek_len == 16) {
                        u8 ek[32];
 
@@ -1681,7 +1681,7 @@ void __wpa_send_eapol(struct wpa_authenticator *wpa_auth,
                        os_memcpy(key_data, buf, key_data_len);
                        rc4_skip(ek, 32, 256, key_data, key_data_len);
                        WPA_PUT_BE16(key_mic + mic_len, key_data_len);
-#endif /* CONFIG_NO_RC4 */
+#endif /* !(CONFIG_NO_RC4 || CONFIG_FIPS) */
                } else {
                        os_free(hdr);
                        bin_clear_free(buf, key_data_len);

diff --git a/src/rsn_supp/wpa.c b/src/rsn_supp/wpa.c
index 3f8accf138e5dfedcf8d0fc97c569fda5a497b3d..5e4c60891d7cdf5e269bd13e8a4a689824857b96 100644 (file)
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
@@ -2640,11 +2640,11 @@ static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
        gd->keyidx = (key_info & WPA_KEY_INFO_KEY_INDEX_MASK) >>
                WPA_KEY_INFO_KEY_INDEX_SHIFT;
        if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
-#ifdef CONFIG_NO_RC4
+#if defined(CONFIG_NO_RC4) || defined(CONFIG_FIPS)
                wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
                        "WPA: RC4 not supported in the build");
                return -1;
-#else /* CONFIG_NO_RC4 */
+#else /* CONFIG_NO_RC4 || CONFIG_FIPS */
                u8 ek[32];
                if (key_data_len > sizeof(gd->gtk)) {
                        wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
@@ -2662,7 +2662,7 @@ static int wpa_supplicant_process_1_of_2_wpa(struct wpa_sm *sm,
                        return -1;
                }
                forced_memzero(ek, sizeof(ek));
-#endif /* CONFIG_NO_RC4 */
+#endif /* CONFIG_NO_RC4 || CONFIG_FIPS */
        } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES) {
                if (maxkeylen % 8) {
                        wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
@@ -3048,11 +3048,11 @@ static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
        /* Decrypt key data here so that this operation does not need
         * to be implemented separately for each message type. */
        if (ver == WPA_KEY_INFO_TYPE_HMAC_MD5_RC4 && sm->ptk.kek_len == 16) {
-#ifdef CONFIG_NO_RC4
+#if defined(CONFIG_NO_RC4) || defined(CONFIG_FIPS)
                wpa_msg(sm->ctx->msg_ctx, MSG_WARNING,
                        "WPA: RC4 not supported in the build");
                return -1;
-#else /* CONFIG_NO_RC4 */
+#else /* CONFIG_NO_RC4 || CONFIG_FIPS */
                u8 ek[32];
 
                wpa_printf(MSG_DEBUG, "WPA: Decrypt Key Data using RC4");
@@ -3065,7 +3065,7 @@ static int wpa_supplicant_decrypt_key_data(struct wpa_sm *sm,
                        return -1;
                }
                forced_memzero(ek, sizeof(ek));
-#endif /* CONFIG_NO_RC4 */
+#endif /* CONFIG_NO_RC4 || CONFIG_FIPS */
        } else if (ver == WPA_KEY_INFO_TYPE_HMAC_SHA1_AES ||
                   ver == WPA_KEY_INFO_TYPE_AES_128_CMAC ||
                   wpa_use_aes_key_wrap(sm->key_mgmt)) {