besl_set_passphrase() returns invalid security_key for EAP using TLSv1.2

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
lock attach
Attachments are accessible only for community members.
LeWi_2227251
Level 3
Level 3
First like received Welcome!

Could not connect to a 2018 Network Policy Server with security WPA2, enterprise mode, methods EAP-TLS and EAP-PEAP with TLSv1.2.

Found the issue to be the BESL supplicant export of the MSK.

Replaced the security key returned by besl to the host with a MSK key calculated according to spec EAP TLS RFC5216 in function mbedtls_ssl_derive_keys().

Spec EAP TLS RFC5216:

EAP-TLS derives exported keying material and parameters as follows:

Key_Material = TLS-PRF-128(master_secret, "client EAP encryption",

client.random || server.random)

MSK = Key_Material(0,63)

EMSK = Key_Material(64,127)

IV = TLS-PRF-64("", "client EAP encryption",

client.random || server.random)

Could someone look into the calculation of the key returned to the host by the besl supplicant when using TLSv1.2?

TLSv1.1 works properly.

Running WICED SDK6.2.1:

Starting WICED vWiced_006.002.001.0002

  [wiced_platform_init]Platform DPM3_ISM43362_M3G_L44 initialised

  [wiced_rtos_init]Started ThreadX v5.8

  [wiced_network_init]Initialising NetX_Duo v5.10_sp3

  [wiced_network_init]Creating Packet pools

  [wiced_wlan_connectivity_init]WLAN MAC Address : C4:7F:51:02:E2:B3

[wiced_wlan_connectivity_init]WLAN Firmware    : wl0: May 16 2018 00:27:03 version 5.90.230.31 FWID 01-5849

Included the two modified files besl_host.c andssl_tls.c that fixed our issue, search for:  #ifdef FIX_PMK_TLS to find the changes.

0 Likes
1 Solution

Patch application is a standard procedure. The steps below would assume that git bash is installed in your system. If not, please install the same.
Go to the source folder 43xxx_Wi-Fi in git bash and follow the steps given below:

git init
git add .
git commit -m "temp"
Now extract the attachment "patch2.7z "
Replace the binaries from patch2 folder with names "BESL_generic.ARM_CM3.release.a", "BESL_generic.ARM_CM4.release.a" & "BESL_generic.ARM_CR4.release.a" in folder "Wiced-SDK\WICED\security\BESL".
Applied the patch using git command
git apply --ignore-whitespace "code_changes.patch"

View solution in original post

0 Likes
9 Replies
lock attach
Attachments are accessible only for community members.
GauravS_31
Moderator
Moderator
Moderator
10 questions asked 250 solutions authored 250 sign-ins

The issue of enterprise join failure has been fixed. Please find attached the modified BESL files and patch file. Go to console.mk and do #CONSOLE_DISABLE_ENTERPRISE_COMMANDS:=1 under BCM943362WCD4 platform. Replace the BESL files in WICED/security/BESL and apply the patch.

The attached files explains nothing about the change.

If you can tell what is the problem and how it is fixed, people have better confidence to apply the fix.

0 Likes

How do you apply the patch?  Im using the 43XXX sdk.  I have tried patching  root, wiced and other sub directories and the patch can't match the files.

0 Likes

Patch application is a standard procedure. The steps below would assume that git bash is installed in your system. If not, please install the same.
Go to the source folder 43xxx_Wi-Fi in git bash and follow the steps given below:

git init
git add .
git commit -m "temp"
Now extract the attachment "patch2.7z "
Replace the binaries from patch2 folder with names "BESL_generic.ARM_CM3.release.a", "BESL_generic.ARM_CM4.release.a" & "BESL_generic.ARM_CR4.release.a" in folder "Wiced-SDK\WICED\security\BESL".
Applied the patch using git command
git apply --ignore-whitespace "code_changes.patch"

0 Likes

Thanks.  This all works now.  Is there going to be a new release of the sdk soon?  this information shouldn't be buried as I know others are seeking out answers to similar questions.

0 Likes

I am not sure about the date of next release but the fix would be part of the next release.

mifo

0 Likes

Early Q4'18.

0 Likes

grsr wrote:

The issue of enterprise join failure has been fixed. Please find attached the modified BESL files and patch file. Go to console.mk and do #CONSOLE_DISABLE_ENTERPRISE_COMMANDS:=1 under BCM943362WCD4 platform. Replace the BESL files in WICED/security/BESL and apply the patch.

Since you didn't explain what is changed.

A simple question: Does this patch fix the EAP-TLS/PEAP issues with FreeRTOS build?

0 Likes

For FreeRTOS, the patch worked for EAP-TLS but not PEAP. I will check with the development team on this.