On Sun, Jan 30, 2022 at 08:41:39AM +0100, yegorslists@xxxxxxxxxxxxxx wrote: > Enabling at least HMAC_SHA384_KDF will avoid linking failure > when only CONFIG_EAP_TEAP is enabled. Though CONFIG_EAP_TEAP > configures NEED_SHA384, it doesn't select HMAC_SHA384_KDF and > hence, sae cannot resolve hmac_sha384_kdf() routine. > diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile > @@ -264,6 +264,8 @@ endif > NEED_ECC=y > NEED_DH_GROUPS=y > NEED_HMAC_SHA256_KDF=y > +NEED_HMAC_SHA384_KDF=y > +NEED_HMAC_SHA512_KDF=y > NEED_DRAGONFLY=y > ifdef CONFIG_TESTING_OPTIONS > NEED_DH_GROUPS_ALL=y This would break all CONFIG_SAE=y builds that do not include something else that pulls in SHA384 and SHA512. I don't think it is a good approach to try to force these hash functions to be included for SAE regardless of whether they are needed. I fixed this particular case by pulling in the applicable KDF functions if the hash functions themselves are includes in the build: https://w1.fi/cgit/hostap/commit/?id=c7f71fb8679c4cdd2607dbaac467a1d5efe9f0f9 -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap