DGNum/hostapd
6
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Do not export TLS keys in FIPS mode

Browse source 
Only allow the TLS library keying material exporter functionality to be
used for MSK derivation with TLS-based EAP methods to avoid exporting
internal TLS keys from the library.

Signed-hostap: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2012-08-16 19:38:15 +03:00
parent 411f567050
commit c9e08af24f
3 changed files with 12 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/eap_peer/eap_tls_common.c
View file

@ -259,7 +259,9 @@ void eap_peer_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data)
u8 * eap_peer_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
const char *label, size_t len)
{
#ifndef CONFIG_FIPS
struct tls_keys keys;
#endif /* CONFIG_FIPS */
u8 *rnd = NULL, *out;
out = os_malloc(len);
@ -271,6 +273,7 @@ u8 * eap_peer_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
== 0)
return out;
#ifndef CONFIG_FIPS
/*
* TLS library did not support key generation, so get the needed TLS
* session parameters and use an internal implementation of TLS PRF to
@ -299,6 +302,7 @@ u8 * eap_peer_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
return out;
fail:
#endif /* CONFIG_FIPS */
os_free(out);
os_free(rnd);
return NULL;