Preliminary support for FIPS mode operation with OpenSSL

wpa_supplicant can now be built with FIPS capable OpenSSL for FIPS mode
operation. Currently, this is only enabling the FIPS mode in OpenSSL
without providing any higher level enforcement in wpa_supplicant.
Consequently, invalid configuration will fail during the authentication
run. Proper configuration (e.g., WPA2-Enterprise with EAP-TLS) allows
the connection to be completed.

diff --git a/src/crypto/tls.h b/src/crypto/tls.h
index dafe8bb44bbeb127aa28fd6fb27d2046a716ca6c..4ee03332fe1aef54194332d4469155a17e26f118 100644 (file)
--- a/src/crypto/tls.h
+++ b/src/crypto/tls.h
@@ -32,6 +32,7 @@ struct tls_config {
        const char *opensc_engine_path;
        const char *pkcs11_engine_path;
        const char *pkcs11_module_path;
+       int fips_mode;
 };
 
 /**

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index 1a716db3f9f6a0c519a3bf868d5121a3334960c7..be26286a0d9152f45c17255ed117166793dc9a7b 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -1,6 +1,6 @@
 /*
  * WPA Supplicant / SSL/TLS interface functions for openssl
- * Copyright (c) 2004-2008, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2004-2009, Jouni Malinen <j@w1.fi>
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 as
@@ -733,6 +733,26 @@ void * tls_init(const struct tls_config *conf)
        SSL_CTX *ssl;
 
        if (tls_openssl_ref_count == 0) {
+#ifdef CONFIG_FIPS
+#ifdef OPENSSL_FIPS
+               if (conf->fips_mode) {
+                       if (!FIPS_mode_set(1)) {
+                               wpa_printf(MSG_ERROR, "Failed to enable FIPS "
+                                          "mode");
+                               ERR_load_crypto_strings();
+                               ERR_print_errors_fp(stderr);
+                               return NULL;
+                       } else
+                               wpa_printf(MSG_INFO, "Running in FIPS mode");
+               }
+#else /* OPENSSL_FIPS */
+               if (conf->fips_mode) {
+                       wpa_printf(MSG_ERROR, "FIPS mode requested, but not "
+                                  "supported");
+                       return NULL;
+               }
+#endif /* OPENSSL_FIPS */
+#endif /* CONFIG_FIPS */
                SSL_load_error_strings();
                SSL_library_init();
 #ifndef OPENSSL_NO_SHA256

diff --git a/src/eap_peer/eap.c b/src/eap_peer/eap.c
index e8e504af54956b553e2e6c7052caecaf93c0703f..a95795311351e0259f537305d66b82ae708db50d 100644 (file)
--- a/src/eap_peer/eap.c
+++ b/src/eap_peer/eap.c
@@ -1188,6 +1188,9 @@ struct eap_sm * eap_peer_sm_init(void *eapol_ctx,
        tlsconf.opensc_engine_path = conf->opensc_engine_path;
        tlsconf.pkcs11_engine_path = conf->pkcs11_engine_path;
        tlsconf.pkcs11_module_path = conf->pkcs11_module_path;
+#ifdef CONFIG_FIPS
+       tlsconf.fips_mode = 1;
+#endif /* CONFIG_FIPS */
        sm->ssl_ctx = tls_init(&tlsconf);
        if (sm->ssl_ctx == NULL) {
                wpa_printf(MSG_WARNING, "SSL: Failed to initialize TLS "

diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile
index 311b5378787837360e4c5a3fe919f7ddca8c23f5..381dfa9523ac7dc9263a9f55361016ddfe28604b 100644 (file)
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
@@ -1066,6 +1066,10 @@ OBJS += $(OBJS_d) ../src/drivers/drivers.o
 OBJS += $(OBJS_l2)
 endif
 
+ifdef CONFIG_FIPS
+CFLAGS += -DCONFIG_FIPS
+endif
+
 ifdef CONFIG_NDIS_EVENTS_INTEGRATED
 CFLAGS += -DCONFIG_NDIS_EVENTS_INTEGRATED
 OBJS += ../src/drivers/ndis_events.o