Preliminary support for FIPS mode operation with OpenSSL
wpa_supplicant can now be built with FIPS capable OpenSSL for FIPS mode operation. Currently, this is only enabling the FIPS mode in OpenSSL without providing any higher level enforcement in wpa_supplicant. Consequently, invalid configuration will fail during the authentication run. Proper configuration (e.g., WPA2-Enterprise with EAP-TLS) allows the connection to be completed.
This commit is contained in:
parent
6d503f67e3
commit
76f04b38b0
4 changed files with 29 additions and 1 deletions
|
@ -32,6 +32,7 @@ struct tls_config {
|
||||||
const char *opensc_engine_path;
|
const char *opensc_engine_path;
|
||||||
const char *pkcs11_engine_path;
|
const char *pkcs11_engine_path;
|
||||||
const char *pkcs11_module_path;
|
const char *pkcs11_module_path;
|
||||||
|
int fips_mode;
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
/*
|
/*
|
||||||
* WPA Supplicant / SSL/TLS interface functions for openssl
|
* WPA Supplicant / SSL/TLS interface functions for openssl
|
||||||
* Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
|
* Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
|
||||||
*
|
*
|
||||||
* This program is free software; you can redistribute it and/or modify
|
* This program is free software; you can redistribute it and/or modify
|
||||||
* it under the terms of the GNU General Public License version 2 as
|
* it under the terms of the GNU General Public License version 2 as
|
||||||
|
@ -733,6 +733,26 @@ void * tls_init(const struct tls_config *conf)
|
||||||
SSL_CTX *ssl;
|
SSL_CTX *ssl;
|
||||||
|
|
||||||
if (tls_openssl_ref_count == 0) {
|
if (tls_openssl_ref_count == 0) {
|
||||||
|
#ifdef CONFIG_FIPS
|
||||||
|
#ifdef OPENSSL_FIPS
|
||||||
|
if (conf->fips_mode) {
|
||||||
|
if (!FIPS_mode_set(1)) {
|
||||||
|
wpa_printf(MSG_ERROR, "Failed to enable FIPS "
|
||||||
|
"mode");
|
||||||
|
ERR_load_crypto_strings();
|
||||||
|
ERR_print_errors_fp(stderr);
|
||||||
|
return NULL;
|
||||||
|
} else
|
||||||
|
wpa_printf(MSG_INFO, "Running in FIPS mode");
|
||||||
|
}
|
||||||
|
#else /* OPENSSL_FIPS */
|
||||||
|
if (conf->fips_mode) {
|
||||||
|
wpa_printf(MSG_ERROR, "FIPS mode requested, but not "
|
||||||
|
"supported");
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
#endif /* OPENSSL_FIPS */
|
||||||
|
#endif /* CONFIG_FIPS */
|
||||||
SSL_load_error_strings();
|
SSL_load_error_strings();
|
||||||
SSL_library_init();
|
SSL_library_init();
|
||||||
#ifndef OPENSSL_NO_SHA256
|
#ifndef OPENSSL_NO_SHA256
|
||||||
|
|
|
@ -1188,6 +1188,9 @@ struct eap_sm * eap_peer_sm_init(void *eapol_ctx,
|
||||||
tlsconf.opensc_engine_path = conf->opensc_engine_path;
|
tlsconf.opensc_engine_path = conf->opensc_engine_path;
|
||||||
tlsconf.pkcs11_engine_path = conf->pkcs11_engine_path;
|
tlsconf.pkcs11_engine_path = conf->pkcs11_engine_path;
|
||||||
tlsconf.pkcs11_module_path = conf->pkcs11_module_path;
|
tlsconf.pkcs11_module_path = conf->pkcs11_module_path;
|
||||||
|
#ifdef CONFIG_FIPS
|
||||||
|
tlsconf.fips_mode = 1;
|
||||||
|
#endif /* CONFIG_FIPS */
|
||||||
sm->ssl_ctx = tls_init(&tlsconf);
|
sm->ssl_ctx = tls_init(&tlsconf);
|
||||||
if (sm->ssl_ctx == NULL) {
|
if (sm->ssl_ctx == NULL) {
|
||||||
wpa_printf(MSG_WARNING, "SSL: Failed to initialize TLS "
|
wpa_printf(MSG_WARNING, "SSL: Failed to initialize TLS "
|
||||||
|
|
|
@ -1066,6 +1066,10 @@ OBJS += $(OBJS_d) ../src/drivers/drivers.o
|
||||||
OBJS += $(OBJS_l2)
|
OBJS += $(OBJS_l2)
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
ifdef CONFIG_FIPS
|
||||||
|
CFLAGS += -DCONFIG_FIPS
|
||||||
|
endif
|
||||||
|
|
||||||
ifdef CONFIG_NDIS_EVENTS_INTEGRATED
|
ifdef CONFIG_NDIS_EVENTS_INTEGRATED
|
||||||
CFLAGS += -DCONFIG_NDIS_EVENTS_INTEGRATED
|
CFLAGS += -DCONFIG_NDIS_EVENTS_INTEGRATED
|
||||||
OBJS += ../src/drivers/ndis_events.o
|
OBJS += ../src/drivers/ndis_events.o
|
||||||
|
|
Loading…
Reference in a new issue