- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could not connect to a 2018 Network Policy Server with security WPA2, enterprise mode, methods EAP-TLS and EAP-PEAP with TLSv1.2.
Found the issue to be the BESL supplicant export of the MSK.
Replaced the security key returned by besl to the host with a MSK key calculated according to spec EAP TLS RFC5216 in function mbedtls_ssl_derive_keys().
Spec EAP TLS RFC5216:
EAP-TLS derives exported keying material and parameters as follows:
Key_Material = TLS-PRF-128(master_secret, "client EAP encryption",
client.random || server.random)
MSK = Key_Material(0,63)
EMSK = Key_Material(64,127)
IV = TLS-PRF-64("", "client EAP encryption",
client.random || server.random)
Could someone look into the calculation of the key returned to the host by the besl supplicant when using TLSv1.2?
TLSv1.1 works properly.
Running WICED SDK6.2.1:
Starting WICED vWiced_006.002.001.0002
[wiced_platform_init]Platform DPM3_ISM43362_M3G_L44 initialised
[wiced_rtos_init]Started ThreadX v5.8
[wiced_network_init]Initialising NetX_Duo v5.10_sp3
[wiced_network_init]Creating Packet pools
[wiced_wlan_connectivity_init]WLAN MAC Address : C4:7F:51:02:E2:B3
[wiced_wlan_connectivity_init]WLAN Firmware : wl0: May 16 2018 00:27:03 version 5.90.230.31 FWID 01-5849
Included the two modified files besl_host.c andssl_tls.c that fixed our issue, search for: #ifdef FIX_PMK_TLS to find the changes.
Solved! Go to Solution.
- Labels:
-
Security
-
WICED Studio
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Patch application is a standard procedure. The steps below would assume that git bash is installed in your system. If not, please install the same.
Go to the source folder 43xxx_Wi-Fi in git bash and follow the steps given below:
git init
git add .
git commit -m "temp"
Now extract the attachment "patch2.7z "
Replace the binaries from patch2 folder with names "BESL_generic.ARM_CM3.release.a", "BESL_generic.ARM_CM4.release.a" & "BESL_generic.ARM_CR4.release.a" in folder "Wiced-SDK\WICED\security\BESL".
Applied the patch using git command
git apply --ignore-whitespace "code_changes.patch"