William Rettig wrote:
I am facing a requirement for FIPS compliant AES Key-wrap function. I have not found support for it in the docs I have skimmed the code to no avail. Before I go off and add the feature, I wanted to make sure that it is not already there either in whole or in part.
FreeRADIUS does not yet support the IETF key-wrap document.
In a nutshell AES Key-wrap is the name of a procedure to encrypt and package the Master Key sent to the Access Point in the RADIUS accept packet.
Hmm... no. The EAP/802.1X specifications specify that the keys are put into the MS-MPPE-*-Key attributes. Those attributes are obfuscated with MD5 operations, not AES.
So that I stay within the design intent of FreeRADIUS, I request some guidance with an approach that “stays between the lines”.
As always, patches are welcome. Alan DeKok.