wpa_supplicant 2.4 / 2.5 Openssl TLS-PRF Problem
Thomas Rosenstein
thomas.rosenstein at creamfinance.com
Fri Apr 1 02:17:34 PDT 2016
Hi,
I have got a problem with the TLS-PRF function for key derivation in
wpa_supplicant.
With version 2.5 the TLS-PRF-SHA256 for TLS1.2 was added to the source
code, but by default it's using the OpenSSL Implementation.
I have implemented a Radius Server thats using the same function, when
commenting out the OpenSSL call wpa_supplicant derives the same key as
my application, therefore the connection works.
If the OpenSSL implementation is used the keys differ.
I have added additional logging here are the necessary infos for the key
derivation:
2016-03-03 17:26:43.782 SSL Client Random: <Buffer 9d
02 f1 6c 68 ee a7 cf 10 80 c9 50 91 1e 4f 1a b1 39 72 79 b8 07 db a0 38
69 31 f7 eb 63 24 c8>
2016-03-03 17:26:43.786 SSL Server Random: <Buffer 55
cd ad 71 23 c4 f6 f0 e8 19 e1 8f 19 13 38 9a b2 31 78 09 f0 81 92 ee 4b
63 63 78 69 7b ed 95>
2016-03-03 17:26:43.883 SSL SSL Version: 771 771 TLS
1.2
2016-03-03 17:26:43.883 SSL SSL v1.0 <Buffer 6a d9 5f
88 04 c1 2c 43 05 35 16 3b e0 5e 78 c8 8d 3f 70 1f 08 f2 00 77 3f 26 84
2c 58 06 13 38 e3 ca b7 b6 90 67 e2 6e 1c 90 2c 07 d8 1e 4b a4 bc 3f ...
>
2016-03-03 17:26:43.884 SSL SSL v1.2 <Buffer 39 9e 3c
8f 30 aa 5a 96 11 cb 8e 54 e1 84 5e a4 79 4e c9 bb 38 c7 e2 9d ae c5 aa
42 59 f5 00 b3 f2 ea 77 5e 6f 5d 94 9b 45 a9 58 13 36 c2 92 d3 93 60 ...
>
2016-03-03 17:26:43.884 SSL Master Key: <Buffer 5b ef
6c ba f7 e4 29 9e 16 09 d8 fa 76 02 eb 8b d7 b5 ed 5f 8a c5 ea 35 f1 a3
9d 37 cb 74 ad ff 61 6a 01 f9 f4 a4 be 7a 66 85 af 07 ed 67 b0 1f>
2016-03-03 17:26:43.884 SSL Key Material: <Buffer 39
9e 3c 8f 30 aa 5a 96 11 cb 8e 54 e1 84 5e a4 79 4e c9 bb 38 c7 e2 9d ae
c5 aa 42 59 f5 00 b3 f2 ea 77 5e 6f 5d 94 9b 45 a9 58 13 36 c2 92 d3 93
60 ... >
2016-03-03 17:26:43.884 SSL MSK: <Buffer 39 9e 3c 8f
30 aa 5a 96 11 cb 8e 54 e1 84 5e a4 79 4e c9 bb 38 c7 e2 9d ae c5 aa 42
59 f5 00 b3 f2 ea 77 5e 6f 5d 94 9b 45 a9 58 13 36 c2 92 d3 93 60 ... >
64
2016-03-03 17:26:43.885 SSL EMSK: <Buffer 6a f4 69 0b
c2 ab c6 de e8 11 ef fc 39 73 54 85 9e d8 91 67 fb 2a 2d 92 69 70 87 37
0f 00 9a ca d0 81 9b e3 b3 1c 92 8f b8 67 3e c7 cb 7c e1 c8 ac c7 ... >
The derived keys in wpa_supplicant:
First here the key OpenSSL is trying to tell us:
1459351603.922696: OpenSSL - Derived - hexdump(len=64): 6a 41 ed ab 85
dd f8 99 75 2d 6c 3b e4 0e d9 04 07 9a 63 9c 8f 65 b4 37 7c 39 71 a2 f4
1e a1 26 66 a8 23 08 f1 d2 ee 13 5f 99 76 f8 a5 01 12 b8 6b a4 f1 21 1d
7f 87 a6 ef 19 51 21 1b 30 65 90
here is the key the wpa_supplicant implementation returns:
1459351603.922707: Derived - hexdump(len=32): 9d 02 f1 6c 68 ee a7 cf 10
80 c9 50 91 1e 4f 1a b1 39 72 79 b8 07 db a0 38 69 31 f7 eb 63 24 c8
1459351603.922711: Derived - hexdump(len=32): 55 cd ad 71 23 c4 f6 f0 e8
19 e1 8f 19 13 38 9a b2 31 78 09 f0 81 92 ee 4b 63 63 78 69 7b ed 95
1459351603.922715: Derived - sha256 TLS1.2
1459351603.922739: EAP-PEAP: Derived key 3333 - hexdump(len=64): 39 9e
3c 8f 30 aa 5a 96 11 cb 8e 54 e1 84 5e a4 79 4e c9 bb 38 c7 e2 9d ae c5
aa 42 59 f5 00 b3 f2 ea 77 5e 6f 5d 94 9b 45 a9 58 13 36 c2 92 d3 93 60
02 b2 a9 c2 88 8d 80 a1 ac fd f0 f5 24 ce
1459351603.922751: EAP-PEAP: Derived Session-Id 3333 - hexdump(len=65):
19 9d 02 f1 6c 68 ee a7 cf 10 80 c9 50 91 1e 4f 1a b1 39 72 79 b8 07 db
a0 38 69 31 f7 eb 63 24 c8 55 cd ad 71 23 c4 f6 f0 e8 19 e1 8f 19 13 38
9a b2 31 78 09 f0 81 92 ee 4b 63 63 78 69 7b ed 95
I added those logs, so don't search for them ;)
As you can see the wpa_supplicant implementation returns the same MSK as
my implementation. Either BOTH of them are defective or OpenSSL is doing
something shady.
Does someone have insight into the OpenSSL implementation and why it's
returning "a wrong" key?
BR
Thomas
More information about the Hostap
mailing list