[WPA Supplicant] FIPS - Again

Thu Oct 1 10:53:57 PDT 2015

On Wed, Sep 30, 2015 at 01:25:22PM +1000, Sergio NNX wrote:
> I'm trying to build the latest version of wpa_supplicant from source with FIPS enabled (a.k.a. CONFIG_FIPS=y). Unfortunately, there are errors shown below:
> 
> ../src/eap_peer/eap_leap.o:eap_leap.c:(.text+0xc3c): undefined reference to `md5_vector'

You cannot enable EAP methods that require algorithms not allowed in
FIPS mode..

> ../src/eap_common/ikev2_common.o:ikev2_common.c:(.text+0x225): undefined reference to `hmac_md5'
> ../src/eap_common/ikev2_common.o:ikev2_common.c:(.text+0x30b): undefined reference to `hmac_md5_vector'
> 
> ../src/crypto/ms_funcs.o:ms_funcs.c:(.text+0x28a): undefined reference to `md4_vector'
> 
> ../src/eap_common/chap.o:chap.c:(.text+0x4e): undefined reference to `md5_vector'
> 
> Any help would be greatly appreciated.

Remove almost every single EAP method from build configuration and try
again.. In practice, FIPS is unlikely to allow almost anything else than
EAP-TLS. That said, for a compilation test, all I need to remove are
these:

CONFIG_MSCHAPV2=y
CONFIG_EAP_LEAP=y
CONFIG_EAP_MD5=y
CONFIG_EAP_IKEV2=y
CONFIG_EAP_FAST=y

-- 
Jouni Malinen                                            PGP id EFC895FA