Make Openssl CMAC API (omac1_aes_vector) Availalable in Non FIPs Mode (#85)

wumiaont · web-flow · commit 3c7fd8e10d0e · 2024-03-23T08:55:13.000+08:00
Wpa_supplicant OpenSSL CMAC wrapper API (omac1_aes_vector) is only available when FIPs is enabled for build. Which should not be the case. Openssl CMAC wrapper API should also be available under non FIPS mode. When wpa-supplicant is referencing to use openssl, openssl CMAC should be triggered instead of wpa internal one. The fix is mostly taking from hostap with those changes already: https://w1.fi/cgit/hostap/commit/src/crypto?id=ae0f6ee97ed4924189f2cd68548d2a971f17d67e https://w1.fi/cgit/hostap/commit/wpa_supplicant/Makefile?id=ae0f6ee97ed4924189f2cd68548d2a971f17d67e Testing has been done with the changes with FIPS and non FIPS mode by running sonic macsec testing suite. It's observed in all scenario openssl CMAC API is triggered.
diff --git a/hostapd/Makefile b/hostapd/Makefile
@@ -919,11 +919,13 @@ endif
 ifdef NEED_AES_ENCBLOCK
 AESOBJS += ../src/crypto/aes-encblock.o
 endif
+ifneq ($(CONFIG_TLS), openssl)
 ifneq ($(CONFIG_TLS), linux)
 ifneq ($(CONFIG_TLS), wolfssl)
 AESOBJS += ../src/crypto/aes-omac1.o
 endif
 endif
+endif
 ifdef NEED_AES_UNWRAP
 ifneq ($(CONFIG_TLS), openssl)
 ifneq ($(CONFIG_TLS), linux)
diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c
@@ -16,9 +16,9 @@
 #include <openssl/dh.h>
 #include <openssl/hmac.h>
 #include <openssl/rand.h>
-#ifdef CONFIG_OPENSSL_CMAC
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
 #include <openssl/cmac.h>
-#endif /* CONFIG_OPENSSL_CMAC */
+#endif /* OpenSSL version < 3.0 */
 #ifdef CONFIG_ECC
 #include <openssl/ec.h>
 #include <openssl/x509.h>
@@ -1214,7 +1214,6 @@ int crypto_get_random(void *buf, size_t len)
 }
 
 
-#ifdef CONFIG_OPENSSL_CMAC
 int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem,
 		     const u8 *addr[], const size_t *len, u8 *mac)
 {
@@ -1308,7 +1307,6 @@ int omac1_aes_256(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
 {
 	return omac1_aes_vector(key, 32, 1, &data, &data_len, mac);
 }
-#endif /* CONFIG_OPENSSL_CMAC */
 
 
 struct crypto_bignum * crypto_bignum_init(void)
diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
@@ -75,7 +75,6 @@ endif
 
 ifdef CONFIG_FIPS
 CONFIG_NO_RANDOM_POOL=
-CONFIG_OPENSSL_CMAC=y
 endif
 
 OBJS = config.o
@@ -1330,9 +1329,7 @@ ifdef NEED_AES_ENCBLOCK
 AESOBJS += ../src/crypto/aes-encblock.o
 endif
 NEED_AES_ENC=y
-ifdef CONFIG_OPENSSL_CMAC
-CFLAGS += -DCONFIG_OPENSSL_CMAC
-else
+ifneq ($(CONFIG_TLS), openssl)
 ifneq ($(CONFIG_TLS), linux)
 ifneq ($(CONFIG_TLS), wolfssl)
 AESOBJS += ../src/crypto/aes-omac1.o

Original file line number	Diff line number	Diff line change
`@@ -16,9 +16,9 @@`
`16`	`16`	`#include <openssl/dh.h>`
`17`	`17`	`#include <openssl/hmac.h>`
`18`	`18`	`#include <openssl/rand.h>`
`19`		`-#ifdef CONFIG_OPENSSL_CMAC`
	`19`	`+#if OPENSSL_VERSION_NUMBER < 0x30000000L`
`20`	`20`	`#include <openssl/cmac.h>`
`21`		`-#endif /* CONFIG_OPENSSL_CMAC */`
	`21`	`+#endif /* OpenSSL version < 3.0 */`
`22`	`22`	`#ifdef CONFIG_ECC`
`23`	`23`	`#include <openssl/ec.h>`
`24`	`24`	`#include <openssl/x509.h>`
`@@ -1214,7 +1214,6 @@ int crypto_get_random(void *buf, size_t len)`
`1214`	`1214`	`}`
`1215`	`1215`
`1216`	`1216`
`1217`		`-#ifdef CONFIG_OPENSSL_CMAC`
`1218`	`1217`	`int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem,`
`1219`	`1218`	`const u8 addr[], const size_t len, u8 *mac)`
`1220`	`1219`	`{`
`@@ -1308,7 +1307,6 @@ int omac1_aes_256(const u8 key, const u8 data, size_t data_len, u8 *mac)`
`1308`	`1307`	`{`
`1309`	`1308`	`return omac1_aes_vector(key, 32, 1, &data, &data_len, mac);`
`1310`	`1309`	`}`
`1311`		`-#endif /* CONFIG_OPENSSL_CMAC */`
`1312`	`1310`
`1313`	`1311`
`1314`	`1312`	`struct crypto_bignum * crypto_bignum_init(void)`