EAP-TTLS: Disable CHAP, MSCHAP, and MSCHAPV2 in CONFIG_FIPS=y builds

FIPS builds do not include support for MD4/MD5, so disable
EAP-TTLS/CHAP, MSCHAP, and MSCHAPV2 when CONFIG_FIPS=y is used.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/eap_peer/eap_ttls.c b/src/eap_peer/eap_ttls.c
index 3f59a5f..b186c91 100644 (file)
--- a/src/eap_peer/eap_ttls.c
+++ b/src/eap_peer/eap_ttls.c
@@ -254,11 +254,13 @@ static int eap_ttls_v0_derive_key(struct eap_sm *sm,
 }
 
 
+#ifndef CONFIG_FIPS
 static u8 * eap_ttls_implicit_challenge(struct eap_sm *sm,
                                        struct eap_ttls_data *data, size_t len)
 {
        return eap_peer_tls_derive_key(sm, &data->ssl, "ttls challenge", len);
 }
+#endif /* CONFIG_FIPS */
 
 
 static void eap_ttls_phase2_select_eap_method(struct eap_ttls_data *data,
@@ -429,6 +431,10 @@ static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm,
                                            struct eap_method_ret *ret,
                                            struct wpabuf **resp)
 {
+#ifdef CONFIG_FIPS
+       wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPV2 not supported in FIPS build");
+       return -1;
+#else /* CONFIG_FIPS */
 #ifdef EAP_MSCHAPv2
        struct wpabuf *msg;
        u8 *buf, *pos, *challenge, *peer_challenge;
@@ -511,6 +517,7 @@ static int eap_ttls_phase2_request_mschapv2(struct eap_sm *sm,
        wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAPv2 not included in the build");
        return -1;
 #endif /* EAP_MSCHAPv2 */
+#endif /* CONFIG_FIPS */
 }
 
 
@@ -519,6 +526,10 @@ static int eap_ttls_phase2_request_mschap(struct eap_sm *sm,
                                          struct eap_method_ret *ret,
                                          struct wpabuf **resp)
 {
+#ifdef CONFIG_FIPS
+       wpa_printf(MSG_ERROR, "EAP-TTLS: MSCHAP not supported in FIPS build");
+       return -1;
+#else /* CONFIG_FIPS */
        struct wpabuf *msg;
        u8 *buf, *pos, *challenge;
        const u8 *identity, *password;
@@ -593,6 +604,7 @@ static int eap_ttls_phase2_request_mschap(struct eap_sm *sm,
        ret->decision = DECISION_COND_SUCC;
 
        return 0;
+#endif /* CONFIG_FIPS */
 }
 
 
@@ -655,6 +667,10 @@ static int eap_ttls_phase2_request_chap(struct eap_sm *sm,
                                        struct eap_method_ret *ret,
                                        struct wpabuf **resp)
 {
+#ifdef CONFIG_FIPS
+       wpa_printf(MSG_ERROR, "EAP-TTLS: CHAP not supported in FIPS build");
+       return -1;
+#else /* CONFIG_FIPS */
        struct wpabuf *msg;
        u8 *buf, *pos, *challenge;
        const u8 *identity, *password;
@@ -723,6 +739,7 @@ static int eap_ttls_phase2_request_chap(struct eap_sm *sm,
        ret->decision = DECISION_COND_SUCC;
 
        return 0;
+#endif /* CONFIG_FIPS */
 }
 
 

diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk
index 5070d14..149ad3e 100644 (file)
--- a/wpa_supplicant/Android.mk
+++ b/wpa_supplicant/Android.mk
@@ -428,9 +428,11 @@ L_CFLAGS += -DEAP_TTLS
 OBJS += src/eap_peer/eap_ttls.c
 OBJS_h += src/eap_server/eap_server_ttls.c
 endif
-MS_FUNCS=y
 TLS_FUNCS=y
+ifndef CONFIG_FIPS
+MS_FUNCS=y
 CHAP=y
+endif
 CONFIG_IEEE8021X_EAPOL=y
 endif
 

diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
index 8b2d679..49e64f0 100644 (file)
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -425,9 +425,11 @@ CFLAGS += -DEAP_TTLS
 OBJS += ../src/eap_peer/eap_ttls.o
 OBJS_h += ../src/eap_server/eap_server_ttls.o
 endif
-MS_FUNCS=y
 TLS_FUNCS=y
+ifndef CONFIG_FIPS
+MS_FUNCS=y
 CHAP=y
+endif
 CONFIG_IEEE8021X_EAPOL=y
 endif