wpa-supplicant EAP-TLS Key derivation TLS 1.2

Jānis Čoders janis.coders at gmail.com
Wed Sep 2 02:18:44 EDT 2015

Thank you for your answers.

I did some more digging and seems like the provided patch won't work
for all cases, because TLS1.2 standard
states that prf-sha256 must be used for defined ciphers, but for
future ciphers the hash algorithm must be
taken from that cipher. So if cipher was AES256-GCM-SHA384, then
tls_prf_sha384 must be used.

   In this section, we define one PRF, based on HMAC.  This PRF with the
   SHA-256 hash function is used for all cipher suites defined in this
   document and in TLS documents published prior to this document when
   TLS 1.2 is negotiated.  New cipher suites MUST explicitly specify a
   PRF and, in general, SHOULD use the TLS PRF with SHA-256 or a
   stronger standard hash function.


On 28 August 2015 at 19:08, Jouni Malinen <j at w1.fi> wrote:
> On Fri, Aug 28, 2015 at 03:28:52PM +0100, Nick Lowe wrote:
>> You derive it based on the TLS version.
>> SSL_export_keying_material() is fine to use as all OpenSSL versions
>> that implement TLS 1.2 support this.
>> Falling back where it is not available is therefore fine.
> For existing cases, yes, that was the case. With TLS v1.2 getting
> enabled for EAP-FAST with some new OpenSSL versions, additional changes
> are needed. That's why the fallback does now have support for TLS v1.2
> -based key derivation:
> http://w1.fi/cgit/hostap/commit/?id=16bc3b8935c3f37ea79ff511a36e77d52ab94da7
> --
> Jouni Malinen                                            PGP id EFC895FA

Ar cieņu,
Jānis Čoders

More information about the HostAP mailing list