[PATCH] sae: enable HMAC_SHA384_KDF and HMAC_SHA512_KDF unconditionally
Jouni Malinen
j at w1.fi
Sun Apr 17 09:58:04 PDT 2022
On Sun, Jan 30, 2022 at 08:41:39AM +0100, yegorslists at googlemail.com wrote:
> Enabling at least HMAC_SHA384_KDF will avoid linking failure
> when only CONFIG_EAP_TEAP is enabled. Though CONFIG_EAP_TEAP
> configures NEED_SHA384, it doesn't select HMAC_SHA384_KDF and
> hence, sae cannot resolve hmac_sha384_kdf() routine.
> diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
> @@ -264,6 +264,8 @@ endif
> NEED_ECC=y
> NEED_DH_GROUPS=y
> NEED_HMAC_SHA256_KDF=y
> +NEED_HMAC_SHA384_KDF=y
> +NEED_HMAC_SHA512_KDF=y
> NEED_DRAGONFLY=y
> ifdef CONFIG_TESTING_OPTIONS
> NEED_DH_GROUPS_ALL=y
This would break all CONFIG_SAE=y builds that do not include something
else that pulls in SHA384 and SHA512. I don't think it is a good
approach to try to force these hash functions to be included for SAE
regardless of whether they are needed.
I fixed this particular case by pulling in the applicable KDF functions
if the hash functions themselves are includes in the build:
https://w1.fi/cgit/hostap/commit/?id=c7f71fb8679c4cdd2607dbaac467a1d5efe9f0f9
--
Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list