Questions on using EAP-AKA
Ben Greear
greearb
Tue Dec 31 07:50:32 PST 2013
On 12/31/2013 03:57 AM, Jouni Malinen wrote:
> That's an old note that has not been updated after OpenSSL 1.0 was
> released with the changes needed for EAP-FAST.
>
>> So, question is, what SSL should I use for fullest functionality?
>
> OpenSSL 1.0 or newer
>
>> I will add some extra logging to print big errors if eap_sim_derive_keys
>> fails, as it appears that can only happen when the SSL implementation
>> is deficient.
>>
>> Maybe it should even be a build error to compile in AKA while using gnutls?
>
> Yes, that would make more sense. I guess I was planning on implementing
> fips186_2_prf() for GnuTLS (or well, libgcrypt), but never got that far.
> I guess I (or someone else) could take a newer look at how easily this
> could be done with the current version and if that does not go through,
> just remove fips_prf_gnutls.c.
I looked around yesterday and did not see any sha1 support in gnutls. I tried
using 'internal' TLS support, and that failed some RADIUS test cases, so I was suspicious
that re-implementing sha1 for gnutls using 'internal' logic
might not work that easily.
I did not look into why 'internal' mode failed the RADIUS tests, but when I did
switch to openssl, then everything seems to be working.
If no one beats me to it, I will try to send in some patches to update
the defconfig file with the answers you sent in this email. But I've a large
backlog of stuff to do so that will take a while probably.
Thanks,
Ben
--
Ben Greear <greearb at candelatech.com>
Candela Technologies Inc http://www.candelatech.com
More information about the Hostap
mailing list