DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Do not export TLS keys in FIPS mode

Browse source 
Only allow the TLS library keying material exporter functionality to be
used for MSK derivation with TLS-based EAP methods to avoid exporting
internal TLS keys from the library.

Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2012-08-16 19:38:15 +03:00
parent 411f567050
commit c9e08af24f
3 changed files with 12 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/crypto/tls_openssl.c
View file

@ -2299,6 +2299,11 @@ static int tls_global_dh(SSL_CTX *ssl_ctx, const char *dh_file)
int tls_connection_get_keys(void *ssl_ctx, struct tls_connection *conn,
struct tls_keys *keys)
{
#ifdef CONFIG_FIPS
wpa_printf(MSG_ERROR, "OpenSSL: TLS keys cannot be exported in FIPS "
"mode");
return -1;
#else /* CONFIG_FIPS */
SSL *ssl;
if (conn == NULL || keys == NULL)
@ -2316,6 +2321,7 @@ int tls_connection_get_keys(void *ssl_ctx, struct tls_connection *conn,
keys->server_random_len = SSL3_RANDOM_SIZE;
return 0;
#endif /* CONFIG_FIPS */
}