<div dir="ltr"><div><div><div><div><div>Anybody have any information about running wpa_supplicant in FIPS mode?<br></div><div><br>I have been trying to run wpa_supplicant 2.0 with OpenSSL 1.0.0 with a FIPS certified cryptographic module. I patched wpa_supplicant so that it puts itself into FIPS mode.<br><br></div><div>I received a warning about use of the md5 algorithm within tls_prf_sha1_md5. The code generates a pseudorandom key from an xor of a sha1 and md5 sum of the key. I have come across some discussion whether it is valid to use md5. That may have been 2009.<br></div><br>I moved from version 2.0 to 2.4 of wpa_supplicant after I noticed changes that could improve FIPS mode operation.<br><br></div>I am still receiving the warning which I believe has to do with tls_prf_sha1_md5. I have not yet traced the call.<br><br>EAP: EAP entering state RECEIVED<br>OpenSSL: EVP_DigestInit_ex failed: error:060A80A3:digital envelope routines:FIPS<br>_DIGESTINIT:disabled for fips<br>EAP: Received EAP-Success<br><br></div>It appears to authenticate, but I receive this message along with a termination.<br><br>RSN: encrypted key data - hexdump(len=56): 07 73 60 d5 92 11 39 10 38 63 08 1f c<br>a 53 af 88 0c 93 ee 03 2d 9e f5 a9 6a d2 38 cd 3d 6e c9 80 ba 5e 4d 6d bb d8 7d<br>41 25 ef db 92 d1 15 a4 1f 4d 0d bf 5f 9a fd 65 3b<br>aes_misc.c(82): OpenSSL internal error, assertion failed: Low level API call to<br>cipher AES forbidden in FIPS mode!<br></div>Aborted<br><br></div><div>Two patches in master since the release of 2.4 which I think might affect FIPS compatibility are:<br><br>5650d3 (OpenSSL: Add option to disable use of TLSv1.0)<br></div><div>Â Â Â I think that I may have read that the version of TLS affects the use of md5. Althought it may have been SSLv3.<br><br></div><div>65a7b2 (OpenSSL: Implement AES-128 CBC using EVP API)<br></div><div>Â Â Â This seems like it might be related to the "cipher AES forbidden in FIPS mode" error message.<br><br></div><div>I'm hoping that someone has more insight onto these details of wpa_supplicant. It's pretty new to me.<br><br></div><div>- Jate S.<br></div></div>