From c9e08af24fd7dda3f21674cdc744579b8c38fa28 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Thu, 16 Aug 2012 19:38:15 +0300 Subject: [PATCH] Do not export TLS keys in FIPS mode Only allow the TLS library keying material exporter functionality to be used for MSK derivation with TLS-based EAP methods to avoid exporting internal TLS keys from the library. Signed-hostap: Jouni Malinen --- src/crypto/tls_openssl.c | 6 ++++++ src/eap_peer/eap_tls_common.c | 4 ++++ wpa_supplicant/Makefile | 2 ++ 3 files changed, 12 insertions(+) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 50ce23a61..864414cfd 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -2299,6 +2299,11 @@ static int tls_global_dh(SSL_CTX *ssl_ctx, const char *dh_file) int tls_connection_get_keys(void *ssl_ctx, struct tls_connection *conn, struct tls_keys *keys) { +#ifdef CONFIG_FIPS + wpa_printf(MSG_ERROR, "OpenSSL: TLS keys cannot be exported in FIPS " + "mode"); + return -1; +#else /* CONFIG_FIPS */ SSL *ssl; if (conn == NULL || keys == NULL) @@ -2316,6 +2321,7 @@ int tls_connection_get_keys(void *ssl_ctx, struct tls_connection *conn, keys->server_random_len = SSL3_RANDOM_SIZE; return 0; +#endif /* CONFIG_FIPS */ } diff --git a/src/eap_peer/eap_tls_common.c b/src/eap_peer/eap_tls_common.c index 47e4f74e7..c91d863ae 100644 --- a/src/eap_peer/eap_tls_common.c +++ b/src/eap_peer/eap_tls_common.c @@ -259,7 +259,9 @@ void eap_peer_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data) u8 * eap_peer_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data, const char *label, size_t len) { +#ifndef CONFIG_FIPS struct tls_keys keys; +#endif /* CONFIG_FIPS */ u8 *rnd = NULL, *out; out = os_malloc(len); @@ -271,6 +273,7 @@ u8 * eap_peer_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data, == 0) return out; +#ifndef CONFIG_FIPS /* * TLS library did not support key generation, so get the needed TLS * session parameters and use an internal implementation of TLS PRF to @@ -299,6 +302,7 @@ u8 * eap_peer_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data, return out; fail: +#endif /* CONFIG_FIPS */ os_free(out); os_free(rnd); return NULL; diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile index 71e43b6c8..d7419d765 100644 --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile @@ -847,8 +847,10 @@ NEED_DES=y # Shared TLS functions (needed for EAP_TLS, EAP_PEAP, EAP_TTLS, and EAP_FAST) OBJS += ../src/eap_peer/eap_tls_common.o OBJS_h += ../src/eap_server/eap_server_tls_common.o +ifndef CONFIG_FIPS NEED_TLS_PRF=y endif +endif ifndef CONFIG_TLS CONFIG_TLS=openssl