Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sync: * OpenSSL: Implement AES keywrap using the EVP API #87

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

JunhongMao
Copy link

Why I did it
The below two PRs added some extra compile options to ignore the compiler errors during the Debian bookworm building.
#79
#80

This PR is to gracefully fix these compiler errors and meet the FIPS compliance requirements.

How I did it
Ported the below commit:
https://w1.fi/cgit/hostap/commit/?id=092efd45a6186c72b5a44f98ad99c81fd33402a6

OpenSSL 3.0 deprecated the low-level encryption functions, so use the EVP API for this. Maintain the previous version for BoringSSL and LibreSSL since not all versions seem to have the EVP_aes_*_wrap() functions needed for the EVP API.

How to verify it
In the KVM-based testbed environment, tested it with FIPS and non-FIPS mode by running the SONiC MACSEC testing suite and got PASSED results.

The KVM-based testbed setup manual.
https://github.com/sonic-net/sonic-mgmt/blob/master/docs/testbed/README.testbed.VsSetup.md#option-1-veos-kvm-based-image

~/sonic-mgmt/tests$ ./run_tests.sh -n vms-kvm-t0 -d vlab-01 -c macsec/test_controlplane.py -f vtestbed.yaml -i ../ansible/veos_vtb -u -e "--enable_macsec --neighbor_type=sonic --macsec_profile=128_SCI,256_XPN_SCI" -x

macsec/test_controlplane.py::TestControlPlane::test_wpa_supplicant_processes[128_SCI] PASSED [ 12%]
macsec/test_controlplane.py::TestControlPlane::test_appl_db[128_SCI] PASSED [ 25%]
macsec/test_controlplane.py::TestControlPlane::test_mka_session[128_SCI] PASSED [ 37%]
macsec/test_controlplane.py::TestControlPlane::test_rekey_by_period[128_SCI] SKIPPED (If the rekey period is 0 which means rekey by period isn't active.) [ 50%]
macsec/test_controlplane.py::TestControlPlane::test_wpa_supplicant_processes[256_XPN_SCI] PASSED [ 62%]
macsec/test_controlplane.py::TestControlPlane::test_appl_db[256_XPN_SCI] PASSED [ 75%]
macsec/test_controlplane.py::TestControlPlane::test_mka_session[256_XPN_SCI] PASSED [ 87%]
macsec/test_controlplane.py::TestControlPlane::test_rekey_by_period[256_XPN_SCI] PASSED

To gracefully fix these compiler errors and meet the FIPS compliance requirements.

https://w1.fi/cgit/hostap/commit/?id=092efd45a6186c72b5a44f98ad99c81fd33402a6

OpenSSL 3.0 deprecated the low-level encryption functions, so use the
EVP API for this. Maintain the previous version for BoringSSL and
LibreSSL since not all versions seem to have the EVP_aes_*_wrap()
functions needed for the EVP API.

Signed-off-by: Jouni Malinen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant