cancel
Showing results for 
Search instead for 
Did you mean: 

WICED Studio Wi-Fi Combo

LeWi_2227251
New Contributor II

Could not connect to a 2018 Network Policy Server with security WPA2, enterprise mode, methods EAP-TLS and EAP-PEAP with TLSv1.2.

Found the issue to be the BESL supplicant export of the MSK.

Replaced the security key returned by besl to the host with a MSK key calculated according to spec EAP TLS RFC5216 in function mbedtls_ssl_derive_keys().

Spec EAP TLS RFC5216:

EAP-TLS derives exported keying material and parameters as follows:

Key_Material = TLS-PRF-128(master_secret, "client EAP encryption",

client.random || server.random)

MSK = Key_Material(0,63)

EMSK = Key_Material(64,127)

IV = TLS-PRF-64("", "client EAP encryption",

client.random || server.random)

Could someone look into the calculation of the key returned to the host by the besl supplicant when using TLSv1.2?

TLSv1.1 works properly.

Running WICED SDK6.2.1:

Starting WICED vWiced_006.002.001.0002

  [wiced_platform_init]Platform DPM3_ISM43362_M3G_L44 initialised

  [wiced_rtos_init]Started ThreadX v5.8

  [wiced_network_init]Initialising NetX_Duo v5.10_sp3

  [wiced_network_init]Creating Packet pools

  [wiced_wlan_connectivity_init]WLAN MAC Address : C4:7F:51:02:E2:B3

[wiced_wlan_connectivity_init]WLAN Firmware    : wl0: May 16 2018 00:27:03 version 5.90.230.31 FWID 01-5849

Included the two modified files besl_host.c andssl_tls.c that fixed our issue, search for:  #ifdef FIX_PMK_TLS to find the changes.

0 Likes
1 Solution
GauravS_31
Moderator
Moderator

Patch application is a standard procedure. The steps below would assume that git bash is installed in your system. If not, please install the same.
Go to the source folder 43xxx_Wi-Fi in git bash and follow the steps given below:

git init
git add .
git commit -m "temp"
Now extract the attachment "patch2.7z "
Replace the binaries from patch2 folder with names "BESL_generic.ARM_CM3.release.a", "BESL_generic.ARM_CM4.release.a" & "BESL_generic.ARM_CR4.release.a" in folder "Wiced-SDK\WICED\security\BESL".
Applied the patch using git command
git apply --ignore-whitespace "code_changes.patch"

View solution in original post

0 Likes
9 Replies
GauravS_31
Moderator
Moderator

The issue of enterprise join failure has been fixed. Please find attached the modified BESL files and patch file. Go to console.mk and do #CONSOLE_DISABLE_ENTERPRISE_COMMANDS:=1 under BCM943362WCD4 platform. Replace the BESL files in WICED/security/BESL and apply the patch.

AxLi_1746341
Honored Contributor

The attached files explains nothing about the change.

If you can tell what is the problem and how it is fixed, people have better confidence to apply the fix.

0 Likes
JoSt_3481606
New Contributor II

How do you apply the patch?  Im using the 43XXX sdk.  I have tried patching  root, wiced and other sub directories and the patch can't match the files.

0 Likes
GauravS_31
Moderator
Moderator

Patch application is a standard procedure. The steps below would assume that git bash is installed in your system. If not, please install the same.
Go to the source folder 43xxx_Wi-Fi in git bash and follow the steps given below:

git init
git add .
git commit -m "temp"
Now extract the attachment "patch2.7z "
Replace the binaries from patch2 folder with names "BESL_generic.ARM_CM3.release.a", "BESL_generic.ARM_CM4.release.a" & "BESL_generic.ARM_CR4.release.a" in folder "Wiced-SDK\WICED\security\BESL".
Applied the patch using git command
git apply --ignore-whitespace "code_changes.patch"

View solution in original post

0 Likes
JoSt_3481606
New Contributor II

Thanks.  This all works now.  Is there going to be a new release of the sdk soon?  this information shouldn't be buried as I know others are seeking out answers to similar questions.

0 Likes
GauravS_31
Moderator
Moderator

I am not sure about the date of next release but the fix would be part of the next release.

mifo

0 Likes
AxLi_1746341
Honored Contributor

grsr wrote:

The issue of enterprise join failure has been fixed. Please find attached the modified BESL files and patch file. Go to console.mk and do #CONSOLE_DISABLE_ENTERPRISE_COMMANDS:=1 under BCM943362WCD4 platform. Replace the BESL files in WICED/security/BESL and apply the patch.

Since you didn't explain what is changed.

A simple question: Does this patch fix the EAP-TLS/PEAP issues with FreeRTOS build?

0 Likes
GauravS_31
Moderator
Moderator

For FreeRTOS, the patch worked for EAP-TLS but not PEAP. I will check with the development team on this.