wpa_supplicant in FIPS 140-2 mode

Jate Sujjavanich jatedev at gmail.com
Fri Jul 31 15:16:24 EDT 2015


>
> Hmm.. That would be somewhat of an unfortunate direction.. My goal has
> been more to reduce externally required crypto implementation than
> adding it, i.e., this change would be reverting an earlier cleanup. It's
> a bit unfortunate if OpenSSL does not provide a FIPS mode compatible
> mechanism for AES key wrapping.
>

In this post on openssl-users -
http://marc.info/?l=openssl-users&m=140075543711643&w=2 - one of the
maintainers of OpenSSL provides an example of how to use the allowed higher
level EVP_* calls to implement FIPS mode-compatible AES key wrapping. The
code in the example very closely matches the code within aes-wrap.c and
aes-unwrap.c. I suggested re-adding that code to avoid code duplication
without realizing that it's a revert of f19c907

Would putting the aes_wrap and aes_unwrap calls from aes-[un]wrap.c into
crypto_openssl.c work?

- Jate S.

On Thu, Jul 30, 2015 at 5:09 AM, Jouni Malinen <j at w1.fi> wrote:

> On Wed, Jul 29, 2015 at 05:20:06PM -0400, Jate Sujjavanich wrote:
> > I replaced the calls within to aes_wrap/aes_unwrap in crypto_openssl.c
> with
> > the callbacks in aes_wrap.c/aes_unwrap.c. They actually lead down to
> EVP_*
> > functions within OpenSSL which is valid in FIPS mode. The callbacks to
> > aes_encrypt_* lead to higher level EVP_* calls which are allowed in FIPS
> > mode.
> >
> > Do you see anything wrong with this algorithmically as far as encryption
> is
> > concerned?
>
> No, the changes here are just reverting back to the older design. In
> fact, all you would have needed to do for this is "git revert
> f19c907822ad0dec3480b1435b615ae22c5533a1" (i.e., revert the "OpenSSL:
> Implement aes_wrap() and aes_unwrap()" commit).. Like I said, this is
> not the direction I want to go to, so I hope that there is a better
> solution for AES key wrap than this as far as hostap.git is concerned.
>
> --
> Jouni Malinen                                            PGP id EFC895FA
> _______________________________________________
> HostAP mailing list
> HostAP at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/hostap
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.shmoo.com/pipermail/hostap/attachments/20150731/e00cd8e2/attachment.htm>


More information about the HostAP mailing list