Enable CONFIG_FIPS for wpa_supplicant #92
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issues:
Wpa_supplicant has support to enable FIPS for wpa_supplicant by setting CONFIG_FIPS. This will limit the usage of certain insecure algorithms such as MD4, MD5, DES, RC4. This is one of the requirements by FIPS 140-3.
It's found that wpa_supplicant does not support this config (CONFIG_FIPS=y) nicely. After turning on this flag, it's found that the make would not succeed. There are 2 issues which are fixed by this PR:
There are still references in wpa_supplicant for those insured crypto APIs such as md4_vector etc. Macsec is not using any of those APIs though. Wpa_supplicant disables those APIs from crypt_openssl.c when CONFIG_FIPS is enabled. Fixed those issues by leaving the corresponding API definitions (such as md4_vector etc) there but logging an error message and returning error (-1) when CONFIG_FIPS is enabled.
FIPS_mode_set(1) is removed from openssl 3.0.0. Solution is to replace with EVP_default_properties_enable_fips(NULL, 1) as Openssl forum suggests.
This PR uses patch with above changes. This will benefit us for later porting of latest wpa_supplicant.
Testing:
Tested above changes on VM environment with macsec testing suites. With FIPS enable and FIPS disable, all macsec testings passed.
Watched wpa_supplicant build log and found patch has been applied during build with no issues.