Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sync: OpenSSL: Implement HMAC using the high lever EVP_MAC API #86

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

JunhongMao
Copy link

Why I did it

The below two PRs added some extra compile options to ignore the compiler errors during the Debian bookworm building.
#79
#80
To gracefully fix these compiler errors and meet the FIPS compliance requirements, this PR synced with the related commits from the Hostap repository to this Sonic-wpa-supplicant repository.

How I did it

Ported the below two commits to here.
https://w1.fi/cgit/hostap/commit/?id=e31500adea726897b2c308dae74ca2a3017d17c7

  • OpenSSL: Implement HMAC using the EVP_MAC API

OpenSSL 3.0 deprecated the low-level HMAC functions, so use the EVP_MAC API for this. Maintain the HMAC API variant for older versions.

https://w1.fi/cgit/hostap/commit/?id=c9c2c2d9c73d8d74a1e285505a56d2127a7507d3

  • OpenSSL: Fix a memory leak on crypto_hash_init() error path

The EVP_MAC context data needs to be freed on error paths.

Fixes: e31500adea72 ("OpenSSL: Implement HMAC using the EVP_MAC API")

How to verify it

In the KVM-based testbed environment, tested it with FIPS and non-FIPS mode by running the SONiC MACSEC testing suite and got PASSED results.

The KVM-based testbed setup manual.
https://github.com/sonic-net/sonic-mgmt/blob/master/docs/testbed/README.testbed.VsSetup.md#option-1-veos-kvm-based-image

~/sonic-mgmt/tests$ ./run_tests.sh -n vms-kvm-t0 -d vlab-01 -c macsec/test_controlplane.py -f vtestbed.yaml -i ../ansible/veos_vtb -u -e "--enable_macsec --neighbor_type=sonic --macsec_profile=128_SCI,256_XPN_SCI" -x

macsec/test_controlplane.py::TestControlPlane::test_wpa_supplicant_processes[128_SCI] PASSED                                                                                                                                                 [ 12%]
macsec/test_controlplane.py::TestControlPlane::test_appl_db[128_SCI] PASSED                                                                                                                                                                  [ 25%]
macsec/test_controlplane.py::TestControlPlane::test_mka_session[128_SCI] PASSED                                                                                                                                                              [ 37%]
macsec/test_controlplane.py::TestControlPlane::test_rekey_by_period[128_SCI] SKIPPED (If the rekey period is 0 which means rekey by period isn't active.)                                                                                    [ 50%]
macsec/test_controlplane.py::TestControlPlane::test_wpa_supplicant_processes[256_XPN_SCI] PASSED                                                                                                                                             [ 62%]
macsec/test_controlplane.py::TestControlPlane::test_appl_db[256_XPN_SCI] PASSED                                                                                                                                                              [ 75%]
macsec/test_controlplane.py::TestControlPlane::test_mka_session[256_XPN_SCI] PASSED                                                                                                                                                          [ 87%]
macsec/test_controlplane.py::TestControlPlane::test_rekey_by_period[256_XPN_SCI] PASSED                                                                                                                                                      [100%]

https://w1.fi/cgit/hostap/commit/?id=e31500adea726897b2c308dae74ca2a3017d17c7

* OpenSSL: Implement HMAC using the EVP_MAC API

OpenSSL 3.0 deprecated the low-level HMAC functions, so use the EVP_MAC
API for this. Maintain the HMAC API variant for older versions.

Signed-off-by: Jouni Malinen <[email protected]>

https://w1.fi/cgit/hostap/commit/?id=c9c2c2d9c73d8d74a1e285505a56d2127a7507d3

* OpenSSL: Fix a memory leak on crypto_hash_init() error path

The EVP_MAC context data needs to be freed on error paths.

Fixes: e31500adea72 ("OpenSSL: Implement HMAC using the EVP_MAC API")
Signed-off-by: Jouni Malinen <[email protected]>
@JunhongMao
Copy link
Author

@wumiaont, @lguohan , @xumia please help to review, thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant