From 835c89a16bc320b3aeea57d626a4fbc26724316e Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sat, 1 Aug 2015 16:53:16 +0300 Subject: [PATCH] EAP-TTLS: Disable CHAP, MSCHAP, and MSCHAPV2 in CONFIG_FIPS=y builds FIPS builds do not include support for MD4/MD5, so disable EAP-TTLS/CHAP, MSCHAP, and MSCHAPV2 when CONFIG_FIPS=y is used. Signed-off-by: Jouni Malinen --- src/eap_peer/eap_ttls.c | 17 +++++++++++++++++ wpa_supplicant/Android.mk | 4 +++- wpa_supplicant/Makefile | 4 +++- 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/src/eap_peer/eap_ttls.c b/src/eap_peer/eap_ttls.c index 3f59a5f97..b186c9156 100644 --- a/src/eap_peer/eap_ttls.c +++ b/src/eap_peer/eap_ttls.c @@ -254,11 +254,13 @@ static int eap_ttls_v0_derive_key(struct eap_sm *sm, } +#ifndef CONFIG_FIPS static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm, struct eap_ttls_data *data, size_t len) { return eap_peer_tls_derive_key(sm, &data->ssl, "ttls challenge", len); } +#endif /* CONFIG_FIPS */ static void eap_ttls_phase2_select_eap_method(struct eap_ttls_data *data, @@ -429,6 +431,10 @@ static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm, struct eap_method_ret *ret, struct wpabuf **resp) { +#ifdef CONFIG_FIPS + wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPV2 not supported in FIPS build"); + return -1; +#else /* CONFIG_FIPS */ #ifdef EAP_MSCHAPv2 struct wpabuf *msg; u8 *buf, *pos, *challenge, *peer_challenge; @@ -511,6 +517,7 @@ static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm, wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build"); return -1; #endif /* EAP_MSCHAPv2 */ +#endif /* CONFIG_FIPS */ } @@ -519,6 +526,10 @@ static int eap_ttls_phase2_request_mschap(struct eap_sm *sm, struct eap_method_ret *ret, struct wpabuf **resp) { +#ifdef CONFIG_FIPS + wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAP not supported in FIPS build"); + return -1; +#else /* CONFIG_FIPS */ struct wpabuf *msg; u8 *buf, *pos, *challenge; const u8 *identity, *password; @@ -593,6 +604,7 @@ static int eap_ttls_phase2_request_mschap(struct eap_sm *sm, ret->decision = DECISION_COND_SUCC; return 0; +#endif /* CONFIG_FIPS */ } @@ -655,6 +667,10 @@ static int eap_ttls_phase2_request_chap(struct eap_sm *sm, struct eap_method_ret *ret, struct wpabuf **resp) { +#ifdef CONFIG_FIPS + wpa_printf(MSG_ERROR, "EAP-TTLS: CHAP not supported in FIPS build"); + return -1; +#else /* CONFIG_FIPS */ struct wpabuf *msg; u8 *buf, *pos, *challenge; const u8 *identity, *password; @@ -723,6 +739,7 @@ static int eap_ttls_phase2_request_chap(struct eap_sm *sm, ret->decision = DECISION_COND_SUCC; return 0; +#endif /* CONFIG_FIPS */ } diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk index 5070d1469..149ad3e2d 100644 --- a/wpa_supplicant/Android.mk +++ b/wpa_supplicant/Android.mk @@ -428,9 +428,11 @@ L_CFLAGS += -DEAP_TTLS OBJS += src/eap_peer/eap_ttls.c OBJS_h += src/eap_server/eap_server_ttls.c endif -MS_FUNCS=y TLS_FUNCS=y +ifndef CONFIG_FIPS +MS_FUNCS=y CHAP=y +endif CONFIG_IEEE8021X_EAPOL=y endif diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile index 8b2d6799f..49e64f0d2 100644 --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile @@ -425,9 +425,11 @@ CFLAGS += -DEAP_TTLS OBJS += ../src/eap_peer/eap_ttls.o OBJS_h += ../src/eap_server/eap_server_ttls.o endif -MS_FUNCS=y TLS_FUNCS=y +ifndef CONFIG_FIPS +MS_FUNCS=y CHAP=y +endif CONFIG_IEEE8021X_EAPOL=y endif