From 76f04b38b06ac5b3e63838ab36f24f339c2587a3 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 16 Aug 2009 14:24:22 +0300 Subject: [PATCH] Preliminary support for FIPS mode operation with OpenSSL wpa_supplicant can now be built with FIPS capable OpenSSL for FIPS mode operation. Currently, this is only enabling the FIPS mode in OpenSSL without providing any higher level enforcement in wpa_supplicant. Consequently, invalid configuration will fail during the authentication run. Proper configuration (e.g., WPA2-Enterprise with EAP-TLS) allows the connection to be completed. --- src/crypto/tls.h | 1 + src/crypto/tls_openssl.c | 22 +++++++++++++++++++++- src/eap_peer/eap.c | 3 +++ wpa_supplicant/Makefile | 4 ++++ 4 files changed, 29 insertions(+), 1 deletion(-) diff --git a/src/crypto/tls.h b/src/crypto/tls.h index dafe8bb44..4ee03332f 100644 --- a/src/crypto/tls.h +++ b/src/crypto/tls.h @@ -32,6 +32,7 @@ struct tls_config { const char *opensc_engine_path; const char *pkcs11_engine_path; const char *pkcs11_module_path; + int fips_mode; }; /** diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 1a716db3f..be26286a0 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -1,6 +1,6 @@ /* * WPA Supplicant / SSL/TLS interface functions for openssl - * Copyright (c) 2004-2008, Jouni Malinen + * Copyright (c) 2004-2009, Jouni Malinen * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as @@ -733,6 +733,26 @@ void * tls_init(const struct tls_config *conf) SSL_CTX *ssl; if (tls_openssl_ref_count == 0) { +#ifdef CONFIG_FIPS +#ifdef OPENSSL_FIPS + if (conf->fips_mode) { + if (!FIPS_mode_set(1)) { + wpa_printf(MSG_ERROR, "Failed to enable FIPS " + "mode"); + ERR_load_crypto_strings(); + ERR_print_errors_fp(stderr); + return NULL; + } else + wpa_printf(MSG_INFO, "Running in FIPS mode"); + } +#else /* OPENSSL_FIPS */ + if (conf->fips_mode) { + wpa_printf(MSG_ERROR, "FIPS mode requested, but not " + "supported"); + return NULL; + } +#endif /* OPENSSL_FIPS */ +#endif /* CONFIG_FIPS */ SSL_load_error_strings(); SSL_library_init(); #ifndef OPENSSL_NO_SHA256 diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c index e8e504af5..a95795311 100644 --- a/src/eap_peer/eap.c +++ b/src/eap_peer/eap.c @@ -1188,6 +1188,9 @@ struct eap_sm * eap_peer_sm_init(void *eapol_ctx, tlsconf.opensc_engine_path = conf->opensc_engine_path; tlsconf.pkcs11_engine_path = conf->pkcs11_engine_path; tlsconf.pkcs11_module_path = conf->pkcs11_module_path; +#ifdef CONFIG_FIPS + tlsconf.fips_mode = 1; +#endif /* CONFIG_FIPS */ sm->ssl_ctx = tls_init(&tlsconf); if (sm->ssl_ctx == NULL) { wpa_printf(MSG_WARNING, "SSL: Failed to initialize TLS " diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile index 311b53787..381dfa952 100644 --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile @@ -1066,6 +1066,10 @@ OBJS += $(OBJS_d) ../src/drivers/drivers.o OBJS += $(OBJS_l2) endif +ifdef CONFIG_FIPS +CFLAGS += -DCONFIG_FIPS +endif + ifdef CONFIG_NDIS_EVENTS_INTEGRATED CFLAGS += -DCONFIG_NDIS_EVENTS_INTEGRATED OBJS += ../src/drivers/ndis_events.o