wpa_supplicant 2.4 / 2.5 Openssl TLS-PRF Problem

Thomas Rosenstein thomas.rosenstein at creamfinance.com
Thu Mar 31 01:17:39 PDT 2016


Hi,

I have got a problem with the TLS-PRF function for key derivation in 
wpa_supplicant.

With version 2.5 the TLS-PRF-SHA256 for TLS1.2 was added to the source 
code, but by default it's using the OpenSSL Implementation.


I have implemented a Radius Server thats using the same function, when 
commenting out the OpenSSL call wpa_supplicant derives the same key as 
my application, therefore the connection works.
If the OpenSSL implementation is used the keys differ.


I have added additional logging here are the necessary infos for the key 
derivation:

2016-03-03 17:26:43.782 SSL                  Client Random:  <Buffer 9d 
02 f1 6c 68 ee a7 cf 10 80 c9 50 91 1e 4f 1a b1 39 72 79 b8 07 db a0 38 
69 31 f7 eb 63 24 c8>
2016-03-03 17:26:43.786 SSL                  Server Random:  <Buffer 55 
cd ad 71 23 c4 f6 f0 e8 19 e1 8f 19 13 38 9a b2 31 78 09 f0 81 92 ee 4b 
63 63 78 69 7b ed 95>

2016-03-03 17:26:43.883 SSL                  SSL Version:  771 771 TLS 
1.2
2016-03-03 17:26:43.883 SSL                  SSL v1.0 <Buffer 6a d9 5f 
88 04 c1 2c 43 05 35 16 3b e0 5e 78 c8 8d 3f 70 1f 08 f2 00 77 3f 26 84 
2c 58 06 13 38 e3 ca b7 b6 90 67 e2 6e 1c 90 2c 07 d8 1e 4b a4 bc 3f ... 
  >
2016-03-03 17:26:43.884 SSL                  SSL v1.2 <Buffer 39 9e 3c 
8f 30 aa 5a 96 11 cb 8e 54 e1 84 5e a4 79 4e c9 bb 38 c7 e2 9d ae c5 aa 
42 59 f5 00 b3 f2 ea 77 5e 6f 5d 94 9b 45 a9 58 13 36 c2 92 d3 93 60 ... 
  >
2016-03-03 17:26:43.884 SSL                  Master Key:  <Buffer 5b ef 
6c ba f7 e4 29 9e 16 09 d8 fa 76 02 eb 8b d7 b5 ed 5f 8a c5 ea 35 f1 a3 
9d 37 cb 74 ad ff 61 6a 01 f9 f4 a4 be 7a 66 85 af 07 ed 67 b0 1f>
2016-03-03 17:26:43.884 SSL                  Key Material:  <Buffer 39 
9e 3c 8f 30 aa 5a 96 11 cb 8e 54 e1 84 5e a4 79 4e c9 bb 38 c7 e2 9d ae 
c5 aa 42 59 f5 00 b3 f2 ea 77 5e 6f 5d 94 9b 45 a9 58 13 36 c2 92 d3 93 
60 ... >
2016-03-03 17:26:43.884 SSL                  MSK:  <Buffer 39 9e 3c 8f 
30 aa 5a 96 11 cb 8e 54 e1 84 5e a4 79 4e c9 bb 38 c7 e2 9d ae c5 aa 42 
59 f5 00 b3 f2 ea 77 5e 6f 5d 94 9b 45 a9 58 13 36 c2 92 d3 93 60 ... > 
64
2016-03-03 17:26:43.885 SSL                  EMSK:  <Buffer 6a f4 69 0b 
c2 ab c6 de e8 11 ef fc 39 73 54 85 9e d8 91 67 fb 2a 2d 92 69 70 87 37 
0f 00 9a ca d0 81 9b e3 b3 1c 92 8f b8 67 3e c7 cb 7c e1 c8 ac c7 ... >



The derived keys in wpa_supplicant:

First here the key OpenSSL is trying to tell us:

1459351603.922696: OpenSSL - Derived - hexdump(len=64): 6a 41 ed ab 85 
dd f8 99 75 2d 6c 3b e4 0e d9 04 07 9a 63 9c 8f 65 b4 37 7c 39 71 a2 f4 
1e a1 26 66 a8 23 08 f1 d2 ee 13 5f 99 76 f8 a5 01 12 b8 6b a4 f1 21 1d 
7f 87 a6 ef 19 51 21 1b 30 65 90

here is the key the wpa_supplicant implementation returns:

1459351603.922707: Derived - hexdump(len=32): 9d 02 f1 6c 68 ee a7 cf 10 
80 c9 50 91 1e 4f 1a b1 39 72 79 b8 07 db a0 38 69 31 f7 eb 63 24 c8
1459351603.922711: Derived - hexdump(len=32): 55 cd ad 71 23 c4 f6 f0 e8 
19 e1 8f 19 13 38 9a b2 31 78 09 f0 81 92 ee 4b 63 63 78 69 7b ed 95
1459351603.922715: Derived - sha256 TLS1.2
1459351603.922739: EAP-PEAP: Derived key 3333 - hexdump(len=64): 39 9e 
3c 8f 30 aa 5a 96 11 cb 8e 54 e1 84 5e a4 79 4e c9 bb 38 c7 e2 9d ae c5 
aa 42 59 f5 00 b3 f2 ea 77 5e 6f 5d 94 9b 45 a9 58 13 36 c2 92 d3 93 60 
02 b2 a9 c2 88 8d 80 a1 ac fd f0 f5 24 ce
1459351603.922751: EAP-PEAP: Derived Session-Id 3333 - hexdump(len=65): 
19 9d 02 f1 6c 68 ee a7 cf 10 80 c9 50 91 1e 4f 1a b1 39 72 79 b8 07 db 
a0 38 69 31 f7 eb 63 24 c8 55 cd ad 71 23 c4 f6 f0 e8 19 e1 8f 19 13 38 
9a b2 31 78 09 f0 81 92 ee 4b 63 63 78 69 7b ed 95


I added those logs, so don't search for them ;)


As you can see the wpa_supplicant implementation returns the same MSK as 
my implementation. Either BOTH of them are defective or OpenSSL is doing 
something shady.

Does someone have insight into the OpenSSL implementation and why it's 
returning "a wrong" key?


BR
Thomas



More information about the Hostap mailing list