aboutsummaryrefslogtreecommitdiffstats
path: root/wpa_supplicant/Makefile
diff options
context:
space:
mode:
authorJouni Malinen <j@w1.fi>2015-08-01 13:31:45 (GMT)
committerJouni Malinen <j@w1.fi>2015-08-01 13:56:59 (GMT)
commit276a3c44dd5ecf41ce586da2d9024d7f3e9665f9 (patch)
treef158fc6cf629016ddb85988f0a77598e8462e2ad /wpa_supplicant/Makefile
parent266cf4a0bc833ac922632e18b72ad03a07df38cf (diff)
downloadhostap-276a3c44dd5ecf41ce586da2d9024d7f3e9665f9.zip
hostap-276a3c44dd5ecf41ce586da2d9024d7f3e9665f9.tar.gz
hostap-276a3c44dd5ecf41ce586da2d9024d7f3e9665f9.tar.bz2
OpenSSL: Implement aes_wrap/aes_unwrap through EVP for CONFIG_FIPS=y
The OpenSSL internal AES_wrap_key() and AES_unwrap_key() functions are unfortunately not available in FIPS mode. Trying to use them results in "aes_misc.c(83): OpenSSL internal error, assertion failed: Low level API call to cipher AES forbidden in FIPS mode!" and process termination. Work around this by reverting commit f19c907822ad0dec3480b1435b615ae22c5533a1 ('OpenSSL: Implement aes_wrap() and aes_unwrap()') changes for CONFIG_FIPS=y case. In practice, this ends up using the internal AES key wrap/unwrap implementation through the OpenSSL EVP API which is available in FIPS mode. When CONFIG_FIPS=y is not used, the OpenSSL AES_wrap_key()/AES_unwrap_key() API continues to be used to minimize code size. Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'wpa_supplicant/Makefile')
-rw-r--r--wpa_supplicant/Makefile11
1 files changed, 10 insertions, 1 deletions
diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
index a006256..8b2d679 100644
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -1148,6 +1148,15 @@ AESOBJS += ../src/crypto/aes-internal.o ../src/crypto/aes-internal-dec.o
endif
ifneq ($(CONFIG_TLS), openssl)
+NEED_INTERNAL_AES_WRAP=y
+endif
+ifdef CONFIG_FIPS
+# Have to use internal AES key wrap routines to use OpenSSL EVP since the
+# OpenSSL AES_wrap_key()/AES_unwrap_key() API is not available in FIPS mode.
+NEED_INTERNAL_AES_WRAP=y
+endif
+
+ifdef NEED_INTERNAL_AES_WRAP
AESOBJS += ../src/crypto/aes-unwrap.o
endif
ifdef NEED_AES_EAX
@@ -1173,7 +1182,7 @@ AESOBJS += ../src/crypto/aes-siv.o
endif
ifdef NEED_AES_WRAP
NEED_AES_ENC=y
-ifneq ($(CONFIG_TLS), openssl)
+ifdef NEED_INTERNAL_AES_WRAP
AESOBJS += ../src/crypto/aes-wrap.o
endif
endif