Here's another patch which is perhaps better. It affects only the MD5 functions, and then only when OpenSSL is used: * update the Makefiles so that they complain if CONFIG_FIPS is used in conjunction with CONFIG_NO_RADIUS * add a CONFIG_CRYPTO_NEEDS_MD5 define which is automatically set by the Makefiles, and checked by the rest of the code. * add a crypto_needs_md5() function which is defined only when CONFIG_CRYPTO_NEEDS_MD5 is set. Otherwise it's a NOOP. * have the RADIUS client and server call crypto_needs_md5() to tell the crypto libraries that they need MD5 * update src/crypto/crypto_openssl.c to check a new flag which is set when crypto_needs_md5() is called, and OpenSSL is build in FIPS mode * in the md5_vector() etc. functions, check the flag and call the internal MD5 functions if the flag is set. The only ugly thing is that the code does a #include of another C file. I couldn't find a better way to do this without more intrusive code modifications. i.e. the current build includes only one crypto* object file. Which means that we can't include both an OpenSSL md5_vector() and an internal md5_vector() at the same time. There would be name conflicts. The #include magic ensures that the internal md5_vector() function can be called from the OpenSSL code, and we also don't need to change the rest of the build system.
Attachment:
0001-Allow-RADIUS-to-use-MD5-with-OpenSSL-in-FIPS-mode.patch
Description: Binary data
_______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
