What is the difference in modes with wpa_supplicant using wolfSSL FIPS vs non FIPS? Some of the algorithms are restricted when using CONFIG_FIPS=y while building wpa_supplicant. This is not a limitation in wpa_supplicant or in wolfSSL, but is due to restrictions and guidelines put in place for FIPS. To help avoid using algorithms that have not been sanctioned for use with FIPS, the build removes MD5/MD4 along with DES. Removal of these algorithms limits the modes supported.
Another restriction that is seen with FIPS use is that the key passed into HMAC must be 14 bytes or longer, this can cause issues with hunting-and-peck mode unless password sizes can be known to always be large enough. To avoid the limitation on HMAC key size, hash-to-element (sae_pwe=1) can be used instead.
Supported By wolfSSL | |||
wpa_supplicant modes | Not FIPS | FIPS | Test Ran |
EAP-TLS | Yes | Yes | eap_proto_tls |
EAP-PEAP/MSCHAPv2 | Yes | No | ap_wpa_eap_peap_eap_mschapv2
ap_wpa2_eap_peap_eap_mschapv2 |
EAP-PEAP/TLS | Yes | Yes | ap_wpa2_eap_peap_eap_tls |
EAP-PEAP/GTC | Yes | Yes | ap_wpa2_eap_peap_eap_gtc |
EAP-PEAP/OTP | Yes | Yes | eap_proto_otp |
EAP-TTLS/EAP-MD5-Challenge | Yes | No | ap_wpa2_eap_ttls_eap_md5 |
EAP-TTLS/EAP-GTC | Yes | Yes | ap_wpa2_eap_ttls_eap_gtc |
EAP-TTLS/EAP-MSCHAPv2 | Yes | No | ap_wpa2_eap_ttls_mschapv2 |
EAP-TTLS/MSCHAP | Yes | No | ap_wpa2_eap_ttls_mschap |
EAP-TTLS/PAP | Yes | Yes | ap_wpa2_eap_ttls_pap |
EAP-TTLS/CHAP | Yes | No | ap_wpa2_eap_ttls_chap |
EAP-SIM | Yes | Yes | eap_proto_sim |
EAP-AKA | Yes | Yes | eap_proto_aka |
EAP-PSK | Yes | Yes | eap_proto_psk |
EAP-PAX | Yes | Yes | eap_proto_pax |
LEAP | Yes | No | eap_proto_leap |
If you have questions on any of the above, please contact us at facts@wolfssl.com, or call us at +1 425 245 8247.