[PATCH] eap: disable EAP-TTLS CHAP phase2 on server when CONFIG_FIPS is set
Chaitanya Tata
chaitanya.mgit at gmail.com
Mon Feb 9 00:20:19 PST 2026
From: Chaitanya Tata <Chaitanya.Tata at nordicsemi.no>
Mirror the peer side: reject CHAP in eap_ttls_process_phase2_chap()
with an error and FAILURE state when building with CONFIG_FIPS, since
CHAP uses MD5 which is not FIPS-approved.
Signed-off-by: Chaitanya Tata <Chaitanya.Tata at nordicsemi.no>
---
src/eap_server/eap_server_ttls.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/eap_server/eap_server_ttls.c b/src/eap_server/eap_server_ttls.c
index b21f12da7..4984f205c 100644
--- a/src/eap_server/eap_server_ttls.c
+++ b/src/eap_server/eap_server_ttls.c
@@ -560,6 +560,11 @@ static void eap_ttls_process_phase2_chap(struct eap_sm *sm,
const u8 *password,
size_t password_len)
{
+#ifdef CONFIG_FIPS
+ wpa_printf(MSG_ERROR, "EAP-TTLS: CHAP not supported in FIPS build");
+ eap_ttls_state(data, FAILURE);
+ return;
+#else /* CONFIG_FIPS */
u8 *chal, hash[CHAP_MD5_LEN];
if (challenge == NULL || password == NULL ||
@@ -613,6 +618,7 @@ static void eap_ttls_process_phase2_chap(struct eap_sm *sm,
wpa_printf(MSG_DEBUG, "EAP-TTLS/CHAP: Invalid user password");
eap_ttls_state(data, FAILURE);
}
+#endif /* CONFIG_FIPS */
}
--
2.43.0
More information about the Hostap
mailing list