Questions on using EAP-AKA

Ben Greear greearb
Tue Dec 31 07:50:32 PST 2013

On 12/31/2013 03:57 AM, Jouni Malinen wrote:

> That's an old note that has not been updated after OpenSSL 1.0 was
> released with the changes needed for EAP-FAST.
>> So, question is, what SSL should I use for fullest functionality?
> OpenSSL 1.0 or newer
>> I will add some extra logging to print big errors if eap_sim_derive_keys
>> fails, as it appears that can only happen when the SSL implementation
>> is deficient.
>> Maybe it should even be a build error to compile in AKA while using gnutls?
> Yes, that would make more sense. I guess I was planning on implementing
> fips186_2_prf() for GnuTLS (or well, libgcrypt), but never got that far.
> I guess I (or someone else) could take a newer look at how easily this
> could be done with the current version and if that does not go through,
> just remove fips_prf_gnutls.c.

I looked around yesterday and did not see any sha1 support in gnutls.  I tried
using 'internal' TLS support, and that failed some RADIUS test cases, so I was suspicious
that re-implementing sha1 for gnutls using 'internal' logic
might not work that easily.

I did not look into why 'internal' mode failed the RADIUS tests, but when I did
switch to openssl, then everything seems to be working.

If no one beats me to it, I will try to send in some patches to update
the defconfig file with the answers you sent in this email.  But I've a large
backlog of stuff to do so that will take a while probably.


Ben Greear <greearb at>
Candela Technologies Inc

More information about the Hostap mailing list