Could not connect to a 2018 Network Policy Server with security WPA2, enterprise mode, methods EAP-TLS and EAP-PEAP with TLSv1.2.
Found the issue to be the BESL supplicant export of the MSK.
Replaced the security key returned by besl to the host with a MSK key calculated according to spec EAP TLS RFC5216 in function mbedtls_ssl_derive_keys().
Spec EAP TLS RFC5216:
EAP-TLS derives exported keying material and parameters as follows:
Key_Material = TLS-PRF-128(master_secret, "client EAP encryption",
client.random || server.random)
MSK = Key_Material(0,63)
EMSK = Key_Material(64,127)
IV = TLS-PRF-64("", "client EAP encryption",
client.random || server.random)
Could someone look into the calculation of the key returned to the host by the besl supplicant when using TLSv1.2?
TLSv1.1 works properly.
Running WICED SDK6.2.1:
Starting WICED vWiced_006.002.001.0002
[wiced_platform_init]Platform DPM3_ISM43362_M3G_L44 initialised
[wiced_rtos_init]Started ThreadX v5.8
[wiced_network_init]Initialising NetX_Duo v5.10_sp3
[wiced_network_init]Creating Packet pools
[wiced_wlan_connectivity_init]WLAN MAC Address : C4:7F:51:02:E2:B3
[wiced_wlan_connectivity_init]WLAN Firmware : wl0: May 16 2018 00:27:03 version 5.90.230.31 FWID 01-5849
Included the two modified files besl_host.c andssl_tls.c that fixed our issue, search for: #ifdef FIX_PMK_TLS to find the changes.
