From: Jouni Malinen Date: Fri, 15 Apr 2022 08:14:51 +0000 (+0300) Subject: OpenSSL: CMAC using the OpenSSL library for non-FIPS cases as well X-Git-Tag: hostap_2_11~2073 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ae0f6ee97ed4924189f2cd68548d2a971f17d67e;p=thirdparty%2Fhostap.git OpenSSL: CMAC using the OpenSSL library for non-FIPS cases as well Commit 0b5e98557eca ("FIPS: Use OpenSSL CMAC implementation instead of aes-omac1.c") added this implementation initially only for the FIPS builds. However, there does not seem to be any remaining need to avoid depending on the OpenSSL library implementation for builds, so move to that implementation unconditionally to reduce the binary size a bit. Signed-off-by: Jouni Malinen --- diff --git a/hostapd/Android.mk b/hostapd/Android.mk index bf26e41c6..b89f3a69f 100644 --- a/hostapd/Android.mk +++ b/hostapd/Android.mk @@ -825,7 +825,9 @@ endif ifdef NEED_AES_ENCBLOCK AESOBJS += src/crypto/aes-encblock.c endif +ifneq ($(CONFIG_TLS), openssl) AESOBJS += src/crypto/aes-omac1.c +endif ifdef NEED_AES_UNWRAP ifneq ($(CONFIG_TLS), openssl) NEED_AES_DEC=y diff --git a/hostapd/Makefile b/hostapd/Makefile index e37c13b27..0f9239052 100644 --- a/hostapd/Makefile +++ b/hostapd/Makefile @@ -932,11 +932,13 @@ endif ifdef NEED_AES_ENCBLOCK AESOBJS += ../src/crypto/aes-encblock.o endif +ifneq ($(CONFIG_TLS), openssl) ifneq ($(CONFIG_TLS), linux) ifneq ($(CONFIG_TLS), wolfssl) AESOBJS += ../src/crypto/aes-omac1.o endif endif +endif ifdef NEED_AES_UNWRAP ifneq ($(CONFIG_TLS), openssl) ifneq ($(CONFIG_TLS), linux) diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c index c032b889a..a54ec71a8 100644 --- a/src/crypto/crypto_openssl.c +++ b/src/crypto/crypto_openssl.c @@ -16,9 +16,6 @@ #include #include #include -#ifdef CONFIG_OPENSSL_CMAC -#include -#endif /* CONFIG_OPENSSL_CMAC */ #ifdef CONFIG_ECC #include #include @@ -28,6 +25,8 @@ #include #include #include +#else /* OpenSSL version >= 3.0 */ +#include #endif /* OpenSSL version >= 3.0 */ #include "common.h" @@ -1739,7 +1738,6 @@ int crypto_get_random(void *buf, size_t len) } -#ifdef CONFIG_OPENSSL_CMAC int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) { @@ -1838,7 +1836,6 @@ int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac) { return omac1_aes_vector(key, 32, 1, &data, &data_len, mac); } -#endif /* CONFIG_OPENSSL_CMAC */ struct crypto_bignum * crypto_bignum_init(void) diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk index e45357940..0e0ce467c 100644 --- a/wpa_supplicant/Android.mk +++ b/wpa_supplicant/Android.mk @@ -86,7 +86,6 @@ endif ifdef CONFIG_FIPS CONFIG_NO_RANDOM_POOL= -CONFIG_OPENSSL_CMAC=y endif OBJS = config.c @@ -1268,9 +1267,7 @@ ifdef NEED_AES_ENCBLOCK AESOBJS += src/crypto/aes-encblock.c endif NEED_AES_ENC=y -ifdef CONFIG_OPENSSL_CMAC -L_CFLAGS += -DCONFIG_OPENSSL_CMAC -else +ifneq ($(CONFIG_TLS), openssl) AESOBJS += src/crypto/aes-omac1.c endif ifdef NEED_AES_WRAP diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile index dfa78bd45..ed49aa972 100644 --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile @@ -84,7 +84,6 @@ endif ifdef CONFIG_FIPS CONFIG_NO_RANDOM_POOL= -CONFIG_OPENSSL_CMAC=y endif OBJS = config.o @@ -1362,9 +1361,7 @@ ifdef NEED_AES_ENCBLOCK AESOBJS += ../src/crypto/aes-encblock.o endif NEED_AES_ENC=y -ifdef CONFIG_OPENSSL_CMAC -CFLAGS += -DCONFIG_OPENSSL_CMAC -else +ifneq ($(CONFIG_TLS), openssl) ifneq ($(CONFIG_TLS), linux) ifneq ($(CONFIG_TLS), wolfssl) AESOBJS += ../src/crypto/aes-omac1.o