diff --git a/src/crypto/Makefile b/src/crypto/Makefile index 33d0c3434..34e9ac7e9 100644 --- a/src/crypto/Makefile +++ b/src/crypto/Makefile @@ -31,7 +31,6 @@ LIB_OBJS= \ md4-internal.o \ md5.o \ md5-internal.o \ - md5-non-fips.o \ milenage.o \ ms_funcs.o \ rc4.o \ diff --git a/src/crypto/crypto.h b/src/crypto/crypto.h index 3edb7ca24..26b9acf2f 100644 --- a/src/crypto/crypto.h +++ b/src/crypto/crypto.h @@ -41,21 +41,6 @@ int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac); */ int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac); -#ifdef CONFIG_FIPS -/** - * md5_vector_non_fips_allow - MD5 hash for data vector (non-FIPS use allowed) - * @num_elem: Number of elements in the data vector - * @addr: Pointers to the data areas - * @len: Lengths of the data blocks - * @mac: Buffer for the hash - * Returns: 0 on success, -1 on failure - */ -int md5_vector_non_fips_allow(size_t num_elem, const u8 *addr[], - const size_t *len, u8 *mac); -#else /* CONFIG_FIPS */ -#define md5_vector_non_fips_allow md5_vector -#endif /* CONFIG_FIPS */ - /** * sha1_vector - SHA-1 hash for data vector diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c index 5cc32d165..711e312d0 100644 --- a/src/crypto/crypto_openssl.c +++ b/src/crypto/crypto_openssl.c @@ -73,21 +73,14 @@ static BIGNUM * get_group5_prime(void) #define NO_SHA256_WRAPPER #endif -static int openssl_digest_vector(const EVP_MD *type, int non_fips, - size_t num_elem, const u8 *addr[], - const size_t *len, u8 *mac) +static int openssl_digest_vector(const EVP_MD *type, size_t num_elem, + const u8 *addr[], const size_t *len, u8 *mac) { EVP_MD_CTX ctx; size_t i; unsigned int mac_len; EVP_MD_CTX_init(&ctx); -#ifdef CONFIG_FIPS -#ifdef OPENSSL_FIPS - if (non_fips) - EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); -#endif /* OPENSSL_FIPS */ -#endif /* CONFIG_FIPS */ if (!EVP_DigestInit_ex(&ctx, type, NULL)) { wpa_printf(MSG_ERROR, "OpenSSL: EVP_DigestInit_ex failed: %s", ERR_error_string(ERR_get_error(), NULL)); @@ -113,7 +106,7 @@ static int openssl_digest_vector(const EVP_MD *type, int non_fips, int md4_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) { - return openssl_digest_vector(EVP_md4(), 0, num_elem, addr, len, mac); + return openssl_digest_vector(EVP_md4(), num_elem, addr, len, mac); } @@ -177,22 +170,13 @@ out: int md5_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) { - return openssl_digest_vector(EVP_md5(), 0, num_elem, addr, len, mac); + return openssl_digest_vector(EVP_md5(), num_elem, addr, len, mac); } -#ifdef CONFIG_FIPS -int md5_vector_non_fips_allow(size_t num_elem, const u8 *addr[], - const size_t *len, u8 *mac) -{ - return openssl_digest_vector(EVP_md5(), 1, num_elem, addr, len, mac); -} -#endif /* CONFIG_FIPS */ - - int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) { - return openssl_digest_vector(EVP_sha1(), 0, num_elem, addr, len, mac); + return openssl_digest_vector(EVP_sha1(), num_elem, addr, len, mac); } @@ -200,8 +184,7 @@ int sha1_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) int sha256_vector(size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac) { - return openssl_digest_vector(EVP_sha256(), 0, num_elem, addr, len, - mac); + return openssl_digest_vector(EVP_sha256(), num_elem, addr, len, mac); } #endif /* NO_SHA256_WRAPPER */ diff --git a/src/crypto/md5-non-fips.c b/src/crypto/md5-non-fips.c deleted file mode 100644 index 418f7828e..000000000 --- a/src/crypto/md5-non-fips.c +++ /dev/null @@ -1,107 +0,0 @@ -/* - * MD5 hash implementation and interface functions (non-FIPS allowed cases) - * Copyright (c) 2003-2009, Jouni Malinen - * - * This software may be distributed under the terms of the BSD license. - * See README for more details. - */ - -#include "includes.h" - -#include "common.h" -#include "md5.h" -#include "crypto.h" - - -/** - * hmac_md5_vector_non_fips_allow - HMAC-MD5 over data vector (RFC 2104) - * @key: Key for HMAC operations - * @key_len: Length of the key in bytes - * @num_elem: Number of elements in the data vector - * @addr: Pointers to the data areas - * @len: Lengths of the data blocks - * @mac: Buffer for the hash (16 bytes) - * Returns: 0 on success, -1 on failure - */ -int hmac_md5_vector_non_fips_allow(const u8 *key, size_t key_len, - size_t num_elem, const u8 *addr[], - const size_t *len, u8 *mac) -{ - u8 k_pad[64]; /* padding - key XORd with ipad/opad */ - u8 tk[16]; - const u8 *_addr[6]; - size_t i, _len[6]; - - if (num_elem > 5) { - /* - * Fixed limit on the number of fragments to avoid having to - * allocate memory (which could fail). - */ - return -1; - } - - /* if key is longer than 64 bytes reset it to key = MD5(key) */ - if (key_len > 64) { - if (md5_vector_non_fips_allow(1, &key, &key_len, tk)) - return -1; - key = tk; - key_len = 16; - } - - /* the HMAC_MD5 transform looks like: - * - * MD5(K XOR opad, MD5(K XOR ipad, text)) - * - * where K is an n byte key - * ipad is the byte 0x36 repeated 64 times - * opad is the byte 0x5c repeated 64 times - * and text is the data being protected */ - - /* start out by storing key in ipad */ - os_memset(k_pad, 0, sizeof(k_pad)); - os_memcpy(k_pad, key, key_len); - - /* XOR key with ipad values */ - for (i = 0; i < 64; i++) - k_pad[i] ^= 0x36; - - /* perform inner MD5 */ - _addr[0] = k_pad; - _len[0] = 64; - for (i = 0; i < num_elem; i++) { - _addr[i + 1] = addr[i]; - _len[i + 1] = len[i]; - } - if (md5_vector_non_fips_allow(1 + num_elem, _addr, _len, mac)) - return -1; - - os_memset(k_pad, 0, sizeof(k_pad)); - os_memcpy(k_pad, key, key_len); - /* XOR key with opad values */ - for (i = 0; i < 64; i++) - k_pad[i] ^= 0x5c; - - /* perform outer MD5 */ - _addr[0] = k_pad; - _len[0] = 64; - _addr[1] = mac; - _len[1] = MD5_MAC_LEN; - return md5_vector_non_fips_allow(2, _addr, _len, mac); -} - - -/** - * hmac_md5_non_fips_allow - HMAC-MD5 over data buffer (RFC 2104) - * @key: Key for HMAC operations - * @key_len: Length of the key in bytes - * @data: Pointers to the data area - * @data_len: Length of the data area - * @mac: Buffer for the hash (16 bytes) - * Returns: 0 on success, -1 on failure - */ -int hmac_md5_non_fips_allow(const u8 *key, size_t key_len, const u8 *data, - size_t data_len, u8 *mac) -{ - return hmac_md5_vector_non_fips_allow(key, key_len, 1, &data, - &data_len, mac); -} diff --git a/src/crypto/md5.h b/src/crypto/md5.h index 4d6e9045a..33f8426c5 100644 --- a/src/crypto/md5.h +++ b/src/crypto/md5.h @@ -15,15 +15,5 @@ int hmac_md5_vector(const u8 *key, size_t key_len, size_t num_elem, const u8 *addr[], const size_t *len, u8 *mac); int hmac_md5(const u8 *key, size_t key_len, const u8 *data, size_t data_len, u8 *mac); -#ifdef CONFIG_FIPS -int hmac_md5_vector_non_fips_allow(const u8 *key, size_t key_len, - size_t num_elem, const u8 *addr[], - const size_t *len, u8 *mac); -int hmac_md5_non_fips_allow(const u8 *key, size_t key_len, const u8 *data, - size_t data_len, u8 *mac); -#else /* CONFIG_FIPS */ -#define hmac_md5_vector_non_fips_allow hmac_md5_vector -#define hmac_md5_non_fips_allow hmac_md5 -#endif /* CONFIG_FIPS */ #endif /* MD5_H */ diff --git a/src/crypto/sha1-tlsprf.c b/src/crypto/sha1-tlsprf.c index e79265bad..0effd9b76 100644 --- a/src/crypto/sha1-tlsprf.c +++ b/src/crypto/sha1-tlsprf.c @@ -71,19 +71,16 @@ int tls_prf_sha1_md5(const u8 *secret, size_t secret_len, const char *label, S2--; } - hmac_md5_vector_non_fips_allow(S1, L_S1, 2, &MD5_addr[1], &MD5_len[1], - A_MD5); + hmac_md5_vector(S1, L_S1, 2, &MD5_addr[1], &MD5_len[1], A_MD5); hmac_sha1_vector(S2, L_S2, 2, &SHA1_addr[1], &SHA1_len[1], A_SHA1); MD5_pos = MD5_MAC_LEN; SHA1_pos = SHA1_MAC_LEN; for (i = 0; i < outlen; i++) { if (MD5_pos == MD5_MAC_LEN) { - hmac_md5_vector_non_fips_allow(S1, L_S1, 3, MD5_addr, - MD5_len, P_MD5); + hmac_md5_vector(S1, L_S1, 3, MD5_addr, MD5_len, P_MD5); MD5_pos = 0; - hmac_md5_non_fips_allow(S1, L_S1, A_MD5, MD5_MAC_LEN, - A_MD5); + hmac_md5(S1, L_S1, A_MD5, MD5_MAC_LEN, A_MD5); } if (SHA1_pos == SHA1_MAC_LEN) { hmac_sha1_vector(S2, L_S2, 3, SHA1_addr, SHA1_len, diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk index a3b155077..f6676491e 100644 --- a/wpa_supplicant/Android.mk +++ b/wpa_supplicant/Android.mk @@ -1093,9 +1093,6 @@ ifdef NEED_MD5 ifdef CONFIG_INTERNAL_MD5 MD5OBJS += src/crypto/md5-internal.c endif -ifdef CONFIG_FIPS -MD5OBJS += src/crypto/md5-non-fips.c -endif OBJS += $(MD5OBJS) OBJS_p += $(MD5OBJS) endif diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile index 0aa6a9983..eb64725d9 100644 --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile @@ -1122,11 +1122,6 @@ ifdef NEED_MD5 ifdef CONFIG_INTERNAL_MD5 MD5OBJS += ../src/crypto/md5-internal.o endif -ifdef CONFIG_FIPS -ifdef NEED_TLS_PRF -MD5OBJS += ../src/crypto/md5-non-fips.o -endif -endif OBJS += $(MD5OBJS) OBJS_p += $(MD5OBJS) endif