From 812f28b79cfcff122af8c0d6a9eb9e793a1c2652 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 17 Aug 2015 21:31:17 +0300 Subject: [PATCH] BoringSSL: Allow internal AES key wrap to be used with "OpenSSL" build It looks like BoringSSL has removed the AES_wrap_key(), AES_unwrap_key() API. This broke wpa_supplicant/hostapd build since those functions from OpenSSL were used to replace the internal AES key wrap implementation. Add a new build configuration option (CONFIG_OPENSSL_INTERNAL_AES_WRAP=y) to allow the internal implementation to be used with CONFIG_OPENSSL=y build to allow build against the latest BoringSSL version. Signed-off-by: Jouni Malinen --- src/crypto/crypto_openssl.c | 2 ++ wpa_supplicant/Android.mk | 5 +++++ wpa_supplicant/Makefile | 5 +++++ 3 files changed, 12 insertions(+) diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c index a82429326..6cff75c64 100644 --- a/src/crypto/crypto_openssl.c +++ b/src/crypto/crypto_openssl.c @@ -304,6 +304,7 @@ void aes_decrypt_deinit(void *ctx) #ifndef CONFIG_FIPS +#ifndef CONFIG_OPENSSL_INTERNAL_AES_WRAP int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher) { @@ -331,6 +332,7 @@ int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher, return res <= 0 ? -1 : 0; } +#endif /* CONFIG_OPENSSL_INTERNAL_AES_WRAP */ #endif /* CONFIG_FIPS */ diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk index 791f857ef..3673ba77d 100644 --- a/wpa_supplicant/Android.mk +++ b/wpa_supplicant/Android.mk @@ -1140,6 +1140,11 @@ endif ifneq ($(CONFIG_TLS), openssl) NEED_INTERNAL_AES_WRAP=y endif +ifdef CONFIG_OPENSSL_INTERNAL_AES_WRAP +# Seems to be needed at least with BoringSSL +NEED_INTERNAL_AES_WRAP=y +L_CFLAGS += -DCONFIG_OPENSSL_INTERNAL_AES_WRAP +endif ifdef CONFIG_FIPS # Have to use internal AES key wrap routines to use OpenSSL EVP since the # OpenSSL AES_wrap_key()/AES_unwrap_key() API is not available in FIPS mode. diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile index 6acbf43e6..1f1527a3a 100644 --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile @@ -1152,6 +1152,11 @@ endif ifneq ($(CONFIG_TLS), openssl) NEED_INTERNAL_AES_WRAP=y endif +ifdef CONFIG_OPENSSL_INTERNAL_AES_WRAP +# Seems to be needed at least with BoringSSL +NEED_INTERNAL_AES_WRAP=y +CFLAGS += -DCONFIG_OPENSSL_INTERNAL_AES_WRAP +endif ifdef CONFIG_FIPS # Have to use internal AES key wrap routines to use OpenSSL EVP since the # OpenSSL AES_wrap_key()/AES_unwrap_key() API is not available in FIPS mode.