wpa_supplicant 2.4 / 2.5 Openssl TLS-PRF Problem

[Thomas Rosenstein]

On 1 Apr 2016, at 12:34, Jouni Malinen wrote:

> On Fri, Apr 01, 2016 at 11:37:40AM +0200, Thomas Rosenstein wrote:
>> OpenSSL Version is 1.0.1k-fips 8 Jan 2015 from Fedora 22.
>>
>> Any idea which version they changed it?
>
> The issue I was thinking of was fixed with this commit:
> https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=4fdf917
>
> It was present in OpenSSL 1.0.1f but should be fixed in 1.0.1h and I'd
> assume that would include 1.0.1k in Fedora if that really is based on
> 1.0.1k and not just some important fixes being pulled into an earlier
> snapshot. I think this issue is still present in the Ubuntu 14.04
> package for example, but that is identified as 1.0.1f-1ubuntu2.18.

It's identified as package openssl.x86_64 1:1.0.1k-14.fc22

>
> So if it is not that one, then something else.. Which TLS cipher suite
> are you using here and what kind of X.509 certificate(s) (mainly, the
> signature algorithms)?

sha256WithRSAEncryption

It's a public certificate, other side is openssl from NodeJS.

I'm now using TLSv1_server_method to mitigate the issue (since it only 
happens with TLS1.2) before that I used TLS_method as secureProtocol 
method.

> Please note that the hash function changes and
> the wpa_supplicant implementation of the internal key derivation does
> not support this correctly for some cases (which is one of the reason
> for that use of SSL_export_keying_material() being used in the first
> place).

I'm only aware of the change SHA1-MD5 -> SHA256 with the transition from 
TLS1.1 to TLS1.2.

Are there other algorithms in use?

I know that with 2.3 the TLS1.2 was not implemented correctly, with 2.5 
I believe there's a commit adding the functionality.

>
> -- 
> Jouni Malinen                                            PGP id 
> EFC895FA


Thomas