9 Replies Latest reply on Aug 26, 2018 10:06 PM by GauravS_31

    besl_set_passphrase() returns invalid security_key for EAP using TLSv1.2


      Could not connect to a 2018 Network Policy Server with security WPA2, enterprise mode, methods EAP-TLS and EAP-PEAP with TLSv1.2.

      Found the issue to be the BESL supplicant export of the MSK.

      Replaced the security key returned by besl to the host with a MSK key calculated according to spec EAP TLS RFC5216 in function mbedtls_ssl_derive_keys().


      Spec EAP TLS RFC5216:

      EAP-TLS derives exported keying material and parameters as follows:

      Key_Material = TLS-PRF-128(master_secret, "client EAP encryption",

      client.random || server.random)

      MSK = Key_Material(0,63)

      EMSK = Key_Material(64,127)

      IV = TLS-PRF-64("", "client EAP encryption",

      client.random || server.random)


      Could someone look into the calculation of the key returned to the host by the besl supplicant when using TLSv1.2?

      TLSv1.1 works properly.


      Running WICED SDK6.2.1:

      Starting WICED vWiced_006.002.001.0002

        [wiced_platform_init]Platform DPM3_ISM43362_M3G_L44 initialised

        [wiced_rtos_init]Started ThreadX v5.8

        [wiced_network_init]Initialising NetX_Duo v5.10_sp3

        [wiced_network_init]Creating Packet pools

        [wiced_wlan_connectivity_init]WLAN MAC Address : C4:7F:51:02:E2:B3

      [wiced_wlan_connectivity_init]WLAN Firmware    : wl0: May 16 2018 00:27:03 version FWID 01-5849


      Included the two modified files besl_host.c andssl_tls.c that fixed our issue, search for:  #ifdef FIX_PMK_TLS to find the changes.