FIPS: Use OpenSSL CMAC implementation instead of aes-omac1.c

Signed-hostap: Jouni Malinen <j@w1.fi>
2024-11-25 00:38:24 -05:00 · 2012-08-16 22:19:53 +03:00 · 2012-08-16 22:19:53 +03:00 · 0b5e98557e
commit 0b5e98557e
parent 982bafedaf
3 changed files with 48 additions and 0 deletions
--- a/src/crypto/crypto_openssl.c
+++ b/src/crypto/crypto_openssl.c
@ -16,6 +16,9 @@
 #include <openssl/dh.h>
 #include <openssl/hmac.h>
 #include <openssl/rand.h>
+#ifdef CONFIG_OPENSSL_CMAC
+#include <openssl/cmac.h>
+#endif /* CONFIG_OPENSSL_CMAC */

 #include "common.h"
 #include "wpabuf.h"
@ -747,3 +750,38 @@ int crypto_get_random(void *buf, size_t len)
 		return -1;
 	return 0;
 }
+
+
+#ifdef CONFIG_OPENSSL_CMAC
+int omac1_aes_128_vector(const u8 *key, size_t num_elem,
+			 const u8 *addr[], const size_t *len, u8 *mac)
+{
+	CMAC_CTX *ctx;
+	int ret = -1;
+	size_t outlen, i;
+
+	ctx = CMAC_CTX_new();
+	if (ctx == NULL)
+		return -1;
+
+	if (!CMAC_Init(ctx, key, 16, EVP_aes_128_cbc(), NULL))
+		goto fail;
+	for (i = 0; i < num_elem; i++) {
+		if (!CMAC_Update(ctx, addr[i], len[i]))
+			goto fail;
+	}
+	if (!CMAC_Final(ctx, mac, &outlen) || outlen != 16)
+		goto fail;
+
+	ret = 0;
+fail:
+	CMAC_CTX_free(ctx);
+	return ret;
+}
+
+
+int omac1_aes_128(const u8 *key, const u8 *data, size_t data_len, u8 *mac)
+{
+	return omac1_aes_128_vector(key, 1, &data, &data_len, mac);
+}
+#endif /* CONFIG_OPENSSL_CMAC */
--- a/wpa_supplicant/Android.mk
+++ b/wpa_supplicant/Android.mk
@ -70,6 +70,7 @@ endif

 ifdef CONFIG_FIPS
 CONFIG_NO_RANDOM_POOL=
+CONFIG_OPENSSL_CMAC=y
 endif

 OBJS = config.c
@ -1037,8 +1038,12 @@ AESOBJS += src/crypto/aes-encblock.c
 endif
 ifdef NEED_AES_OMAC1
 NEED_AES_ENC=y
+ifdef CONFIG_OPENSSL_CMAC
+CFLAGS += -DCONFIG_OPENSSL_CMAC
+else
 AESOBJS += src/crypto/aes-omac1.c
 endif
+endif
 ifdef NEED_AES_WRAP
 NEED_AES_ENC=y
 AESOBJS += src/crypto/aes-wrap.c
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@ -57,6 +57,7 @@ install: $(addprefix $(DESTDIR)$(BINDIR)/,$(BINALL))

 ifdef CONFIG_FIPS
 CONFIG_NO_RANDOM_POOL=
+CONFIG_OPENSSL_CMAC=y
 endif

 OBJS = config.o
@ -1065,8 +1066,12 @@ AESOBJS += ../src/crypto/aes-encblock.o
 endif
 ifdef NEED_AES_OMAC1
 NEED_AES_ENC=y
+ifdef CONFIG_OPENSSL_CMAC
+CFLAGS += -DCONFIG_OPENSSL_CMAC
+else
 AESOBJS += ../src/crypto/aes-omac1.o
 endif
+endif
 ifdef NEED_AES_WRAP
 NEED_AES_ENC=y
 AESOBJS += ../src/crypto/aes-wrap.o