Disable FIPS mode when RADIUS is being used
Alan DeKok
aland at deployingradius.com
Tue Feb 25 06:29:54 PST 2025
Here's another patch which is perhaps better.
It affects only the MD5 functions, and then only when OpenSSL is used:
* update the Makefiles so that they complain if CONFIG_FIPS is used in conjunction with CONFIG_NO_RADIUS
* add a CONFIG_CRYPTO_NEEDS_MD5 define which is automatically set by the Makefiles, and checked by the rest of the code.
* add a crypto_needs_md5() function which is defined only when CONFIG_CRYPTO_NEEDS_MD5 is set. Otherwise it's a NOOP.
* have the RADIUS client and server call crypto_needs_md5() to tell the crypto libraries that they need MD5
* update src/crypto/crypto_openssl.c to check a new flag which is set when crypto_needs_md5() is called, and OpenSSL is build in FIPS mode
* in the md5_vector() etc. functions, check the flag and call the internal MD5 functions if the flag is set.
The only ugly thing is that the code does a #include of another C file. I couldn't find a better way to do this without more intrusive code modifications.
i.e. the current build includes only one crypto* object file. Which means that we can't include both an OpenSSL md5_vector() and an internal md5_vector() at the same time. There would be name conflicts.
The #include magic ensures that the internal md5_vector() function can be called from the OpenSSL code, and we also don't need to change the rest of the build system.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Allow-RADIUS-to-use-MD5-with-OpenSSL-in-FIPS-mode.patch
Type: application/octet-stream
Size: 6814 bytes
Desc: not available
URL: <http://lists.infradead.org/pipermail/hostap/attachments/20250225/7ffe815f/attachment.obj>
More information about the Hostap
mailing list