Re: Disable FIPS mode when RADIUS is being used

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

  And a final note, this patch only affects the RADIUS client and server, and only when OpenSSL is used, and only when CONFIG_FIPS is not set, and then only when OpenSSL has FIPS enabled at run time.

  MS-CHAP, MS-CHAPv2 will still be broken, and I didn't update the MD4 code.  CHAP and EAP-MD5 will still be broken when CONFIG_NO_RADIUS=y is set.

  If the patch is OK, I can do some follow-up patches which will address those issues.

> On Feb 25, 2025, at 9:29 AM, Alan DeKok <aland@xxxxxxxxxxxxxxxxxxx> wrote:
> 
>  Here's another patch which is perhaps better.
> 
>  It affects only the MD5 functions, and then only when OpenSSL is used:
> 
> * update the Makefiles so that they complain if CONFIG_FIPS is used in conjunction with CONFIG_NO_RADIUS
> 
> * add a CONFIG_CRYPTO_NEEDS_MD5 define which is automatically set by the Makefiles, and checked by the rest of the code.
> 
> * add a crypto_needs_md5() function which is defined only when CONFIG_CRYPTO_NEEDS_MD5 is set.  Otherwise it's a NOOP.
> 
> * have the RADIUS client and server call crypto_needs_md5() to tell the crypto libraries that they need MD5
> 
> * update src/crypto/crypto_openssl.c to check a new flag which is set when crypto_needs_md5() is called, and OpenSSL is build in FIPS mode
> 
> * in the md5_vector() etc. functions, check the flag and call the internal MD5 functions if the flag is set.
> 
>  The only ugly thing is that the code does a #include of another C file.  I couldn't find a better way to do this without more intrusive code modifications.
> 
>  i.e. the current build includes only one crypto* object file.  Which means that we can't include both an OpenSSL md5_vector() and an internal md5_vector() at the same time.  There would be name conflicts.
> 
>  The #include magic ensures that the internal md5_vector() function can be called from the OpenSSL code, and we also don't need to change the rest of the build system.
> 
> <0001-Allow-RADIUS-to-use-MD5-with-OpenSSL-in-FIPS-mode.patch>


_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux