[PATCH] eap: disable IKEv2 MD5 when building with CONFIG_FIPS

Mon Feb 9 00:08:56 PST 2026

From: Chaitanya Tata <Chaitanya.Tata at nordicsemi.no>

RFC 4306 allows HMAC-MD5 for integrity and PRF, but MD5 is not
FIPS-approved. Exclude AUTH_HMAC_MD5_96 and PRF_HMAC_MD5 from the
supported algorithm tables and switch branches when CONFIG_FIPS is set.
HMAC-SHA1 remains enabled.

Signed-off-by: Chaitanya Tata <Chaitanya.Tata at nordicsemi.no>
---
 src/eap_common/ikev2_common.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/eap_common/ikev2_common.c b/src/eap_common/ikev2_common.c
index 2e75b4375..b37175c14 100644
--- a/src/eap_common/ikev2_common.c
+++ b/src/eap_common/ikev2_common.c
@@ -10,7 +10,9 @@
 
 #include "common.h"
 #include "crypto/crypto.h"
+#ifndef CONFIG_FIPS
 #include "crypto/md5.h"
+#endif /* CONFIG_FIPS */
 #include "crypto/sha1.h"
 #include "crypto/random.h"
 #include "ikev2_common.h"
@@ -18,7 +20,9 @@
 
 static const struct ikev2_integ_alg ikev2_integ_algs[] = {
 	{ AUTH_HMAC_SHA1_96, 20, 12 },
+#ifndef CONFIG_FIPS
 	{ AUTH_HMAC_MD5_96, 16, 12 }
+#endif /* CONFIG_FIPS */
 };
 
 #define NUM_INTEG_ALGS ARRAY_SIZE(ikev2_integ_algs)
@@ -26,7 +30,9 @@ static const struct ikev2_integ_alg ikev2_integ_algs[] = {
 
 static const struct ikev2_prf_alg ikev2_prf_algs[] = {
 	{ PRF_HMAC_SHA1, 20, 20 },
+#ifndef CONFIG_FIPS
 	{ PRF_HMAC_MD5, 16, 16 }
+#endif /* CONFIG_FIPS */
 };
 
 #define NUM_PRF_ALGS ARRAY_SIZE(ikev2_prf_algs)
@@ -67,6 +73,7 @@ int ikev2_integ_hash(int alg, const u8 *key, size_t key_len, const u8 *data,
 			return -1;
 		os_memcpy(hash, tmphash, 12);
 		break;
+#ifndef CONFIG_FIPS
 	case AUTH_HMAC_MD5_96:
 		if (key_len != 16)
 			return -1;
@@ -74,6 +81,7 @@ int ikev2_integ_hash(int alg, const u8 *key, size_t key_len, const u8 *data,
 			return -1;
 		os_memcpy(hash, tmphash, 12);
 		break;
+#endif /* CONFIG_FIPS */
 	default:
 		return -1;
 	}
@@ -103,8 +111,10 @@ int ikev2_prf_hash(int alg, const u8 *key, size_t key_len,
 	case PRF_HMAC_SHA1:
 		return hmac_sha1_vector(key, key_len, num_elem, addr, len,
 					hash);
+#ifndef CONFIG_FIPS
 	case PRF_HMAC_MD5:
 		return hmac_md5_vector(key, key_len, num_elem, addr, len, hash);
+#endif /* CONFIG_FIPS */
 	default:
 		return -1;
 	}
-- 
2.43.0


