<div dir="ltr"><div>I replaced the calls within to aes_wrap/aes_unwrap in crypto_openssl.c with the callbacks in aes_wrap.c/aes_unwrap.c. They actually lead down to EVP_* functions within OpenSSL which is valid in FIPS mode. The callbacks to aes_encrypt_* lead to higher level EVP_* calls which are allowed in FIPS mode.<br><br></div><div>Do you see anything wrong with this algorithmically as far as encryption is concerned?<br></div><div><br>----<br><br>Replace aes wrapping functions with higher level EVP calls for FIPS compatibility<br><br></div>diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c<br><div><div>index f158ef4..ca44386 100644<br>--- a/src/crypto/crypto_openssl.c<br>+++ b/src/crypto/crypto_openssl.c<br>@@ -297,33 +297,6 @@ void aes_decrypt_deinit(void *ctx)<br> }<br> <br> <br>-int aes_wrap(const u8 *kek, size_t kek_len, int n, const u8 *plain, u8 *cipher)<br>-{<br>- AES_KEY actx;<br>- int res;<br>-<br>- if (AES_set_encrypt_key(kek, kek_len << 3, &actx))<br>- return -1;<br>- res = AES_wrap_key(&actx, NULL, cipher, plain, n * 8);<br>- OPENSSL_cleanse(&actx, sizeof(actx));<br>- return res <= 0 ? -1 : 0;<br>-}<br>-<br>-<br>-int aes_unwrap(const u8 *kek, size_t kek_len, int n, const u8 *cipher,<br>- u8 *plain)<br>-{<br>- AES_KEY actx;<br>- int res;<br>-<br>- if (AES_set_decrypt_key(kek, kek_len << 3, &actx))<br>- return -1;<br>- res = AES_unwrap_key(&actx, NULL, plain, cipher, (n + 1) * 8);<br>- OPENSSL_cleanse(&actx, sizeof(actx));<br>- return res <= 0 ? -1 : 0;<br>-}<br>-<br>-<br> int crypto_mod_exp(const u8 *base, size_t base_len,<br> const u8 *power, size_t power_len,<br> const u8 *modulus, size_t modulus_len,<br>diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile<br>index 0f82af9..87af300 100644<br>--- a/wpa_supplicant/Makefile<br>+++ b/wpa_supplicant/Makefile<br>@@ -983,6 +983,10 @@ LIBS += -lssl<br> endif<br> OBJS += ../src/crypto/crypto_openssl.o<br> OBJS_p += ../src/crypto/crypto_openssl.o<br>+OBJS += ../src/crypto/aes-wrap.o<br>+OBJS_p += ../src/crypto/aes-wrap.o<br>+OBJS += ../src/crypto/aes-unwrap.o<br>+OBJS_p += ../src/crypto/aes-unwrap.o<br> ifdef NEED_FIPS186_2_PRF<br> OBJS += ../src/crypto/fips_prf_openssl.o<br> endif<br><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jul 29, 2015 at 3:43 PM, Jouni Malinen <span dir="ltr"><<a href="mailto:j@w1.fi" target="_blank">j@w1.fi</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Wed, Jul 29, 2015 at 02:50:09PM -0400, Jate Sujjavanich wrote:<br>
> I figured out an issue with the aes_wrap/aes_unwrap function calls causing<br>
> the exit. The ones implemented in crypto_openssl.c make a lower level call<br>
> which is not allowed in FIPS mode for 1.0.1. I will submit a patch which<br>
> uses the more generic callbacks in src/crypto/aes_wrap.c and<br>
> src/crypto/aes_unwrap.c.<br>
<br>
</span>Hmm.. That would be somewhat of an unfortunate direction.. My goal has<br>
been more to reduce externally required crypto implementation than<br>
adding it, i.e., this change would be reverting an earlier cleanup. It's<br>
a bit unfortunate if OpenSSL does not provide a FIPS mode compatible<br>
mechanism for AES key wrapping.<br>
<span class=""><br>
</span><span class=""><br>
--<br>
Jouni Malinen PGP id EFC895FA<br>
_______________________________________________<br>
HostAP mailing list<br>
</span><a href="mailto:HostAP@lists.shmoo.com">HostAP@lists.shmoo.com</a><br>
<a href="http://lists.shmoo.com/mailman/listinfo/hostap" rel="noreferrer" target="_blank">http://lists.shmoo.com/mailman/listinfo/hostap</a><br>
</blockquote></div><br></div></div></div></div>