OpenSSL: CMAC using the OpenSSL library for non-FIPS cases as well

Commit 0b5e98557eca ("FIPS: Use OpenSSL CMAC implementation instead of
aes-omac1.c") added this implementation initially only for the FIPS
builds. However, there does not seem to be any remaining need to avoid
depending on the OpenSSL library implementation for builds, so move to
that implementation unconditionally to reduce the binary size a bit.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/hostapd/Android.mk b/hostapd/Android.mk
index bf26e41c6b23c1f9f6ce4cb29cb9a0f0b359301e..b89f3a69f1678d989be0ade7202ed13ed3f99a17 100644 (file)
--- a/hostapd/Android.mk
+++ b/hostapd/Android.mk
@@ -825,7 +825,9 @@ endif
 ifdef NEED_AES_ENCBLOCK
 AESOBJS += src/crypto/aes-encblock.c
 endif
+ifneq ($(CONFIG_TLS), openssl)
 AESOBJS += src/crypto/aes-omac1.c
+endif
 ifdef NEED_AES_UNWRAP
 ifneq ($(CONFIG_TLS), openssl)
 NEED_AES_DEC=y

diff --git a/hostapd/Makefile b/hostapd/Makefile
index e37c13b27a6e18967e14fc3632fcf41885704ca4..0f92390529e12d670198f560b47905227a8764f4 100644 (file)
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
@@ -932,11 +932,13 @@ endif
 ifdef NEED_AES_ENCBLOCK
 AESOBJS += ../src/crypto/aes-encblock.o
 endif
+ifneq ($(CONFIG_TLS), openssl)
 ifneq ($(CONFIG_TLS), linux)
 ifneq ($(CONFIG_TLS), wolfssl)
 AESOBJS += ../src/crypto/aes-omac1.o
 endif
 endif
+endif
 ifdef NEED_AES_UNWRAP
 ifneq ($(CONFIG_TLS), openssl)
 ifneq ($(CONFIG_TLS), linux)

diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
index c032b889a405ad6f0274a46002a8733cbf5caf66..a54ec71a8adf1ed013b8669d43fbd710e33bbd34 100644 (file)
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@@ -16,9 +16,6 @@
 #include <openssl/dh.h>
 #include <openssl/hmac.h>
 #include <openssl/rand.h>
-#ifdef CONFIG_OPENSSL_CMAC
-#include <openssl/cmac.h>
-#endif /* CONFIG_OPENSSL_CMAC */
 #ifdef CONFIG_ECC
 #include <openssl/ec.h>
 #include <openssl/x509.h>
@@ -28,6 +25,8 @@
 #include <openssl/provider.h>
 #include <openssl/core_names.h>
 #include <openssl/param_build.h>
+#else /* OpenSSL version >= 3.0 */
+#include <openssl/cmac.h>
 #endif /* OpenSSL version >= 3.0 */
 
 #include "common.h"
@@ -1739,7 +1738,6 @@ int crypto_get_random(void *buf, size_t len)
 }
 
 
-#ifdef CONFIG_OPENSSL_CMAC
 int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem,
                     const u8 *addr[], const size_t *len, u8 *mac)
 {
@@ -1838,7 +1836,6 @@ int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
 {
        return omac1_aes_vector(key, 32, 1, &data, &data_len, mac);
 }
-#endif /* CONFIG_OPENSSL_CMAC */
 
 
 struct crypto_bignum * crypto_bignum_init(void)

diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk
index e45357940ff5d354d7d769ef1014228b9079580f..0e0ce467c8127427f946013d5e125494b0ceb1d4 100644 (file)
--- a/wpa_supplicant/Android.mk
+++ b/wpa_supplicant/Android.mk
@@ -86,7 +86,6 @@ endif
 
 ifdef CONFIG_FIPS
 CONFIG_NO_RANDOM_POOL=
-CONFIG_OPENSSL_CMAC=y
 endif
 
 OBJS = config.c
@@ -1268,9 +1267,7 @@ ifdef NEED_AES_ENCBLOCK
 AESOBJS += src/crypto/aes-encblock.c
 endif
 NEED_AES_ENC=y
-ifdef CONFIG_OPENSSL_CMAC
-L_CFLAGS += -DCONFIG_OPENSSL_CMAC
-else
+ifneq ($(CONFIG_TLS), openssl)
 AESOBJS += src/crypto/aes-omac1.c
 endif
 ifdef NEED_AES_WRAP

diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
index dfa78bd45faa5ef7e16d52c00a08b95f0ceca75a..ed49aa972f5cf8e4c63b7e46ef17ca3a585aa39e 100644 (file)
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -84,7 +84,6 @@ endif
 
 ifdef CONFIG_FIPS
 CONFIG_NO_RANDOM_POOL=
-CONFIG_OPENSSL_CMAC=y
 endif
 
 OBJS = config.o
@@ -1362,9 +1361,7 @@ ifdef NEED_AES_ENCBLOCK
 AESOBJS += ../src/crypto/aes-encblock.o
 endif
 NEED_AES_ENC=y
-ifdef CONFIG_OPENSSL_CMAC
-CFLAGS += -DCONFIG_OPENSSL_CMAC
-else
+ifneq ($(CONFIG_TLS), openssl)
 ifneq ($(CONFIG_TLS), linux)
 ifneq ($(CONFIG_TLS), wolfssl)
 AESOBJS += ../src/crypto/aes-omac1.o