OpenSSL can operate in FIPS mode, where this is a configuration flag, and not a build requirement. Applications like RADIUS need to disable FIPS, otherwise the Response Authenticator and Message-Authenticator won't be calculated correctly. OpenSSL will not return an error when asked to do MD4 / MD5 calculations. It will just silently do the wrong thing. For an example FreeRADIUS / eapol_test output, see: https://lists.freeradius.org/pipermail/freeradius-users/2025-February/105332.html I've attached two patches. One patch adds a fips_disable() function to src/crypto/crypto*.c. The OpenSSL one tries to disable FIPS, and returns an error if it cannot. The other crypto*.c files have an empty function defined, which always succeeds. The second patch makes the RADIUS client and server call the new fips_disable() function. Alan DeKok.
Attachment:
0001-Add-function-to-disable-FIPS-mode.patch
Description: Binary data
Attachment:
0002-Disable-FIPS-when-initializing-RADIUS-client-or-serv.patch
Description: Binary data
_______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
