On 2009-09-30 10:30 PDT, Jouni Malinen wrote: > On Sep 29, 11:50 pm, Douglas Stebila <doug...@stebila.ca> wrote: >> You can find a patch implementing draft-ietf-tls-extractor-07 in NSS >> attached to bug 507359. >> >> https://bugzilla.mozilla.org/show_bug.cgi?id=507359 > > Thanks! This looks very useful. However, when testing the implementation, > I did run into interoperability issues due to the PRF construction used > in draft-ietf-tls-extractor-07. This is not really an issue in the > implementation of the draft, but in the draft itself.. The initial -00 > version would have actually worked, but starting from -01, the > unconditional addition of the context_value_length field breaks > compatibility with the PRF used in EAP-TLS, EAP-PEAP, and EAP- TTLS. > (EAP-FAST case is not supported even if that were to be resolved since it > swaps the client and server random values in the PRF input data) > > I don't know what would be the best way of resolving this. I did sent a > note about this to the author of the draft, but that may already be too > late taken into account that IESG has already approved it.
These issues need to be brought up to the IETF TLS mailing list, ASAP. The last thing we want, IMO, is to have to implement a bunch of slightly-different incompatible extractor functions. :-/ > Anyway, the version of the patch that I used successfully is available > at http://w1.fi/p/nss-EKM.diff should anyone be interested in it. This > can be used successfully with wpa_supplicant to run EAP-PEAP and EAP- > TTLS (and eventually, EAP-TLS once the NSS wrapper gets completed as far > as certificate/private key configuration is concerned). In addition to > making the context length field conditional, that patch fixes a > compilation issue (C++ comment style converted to C) and cleans up couple > of trailing whitespaces from the patch attached to bugzilla. If you would like to contribute your patch to mozilla for consideration for inclusion into NSS, please file an enhancement request "bug" in bugzilla.mozilla.org and attach your patch to it. Thanks. > - Jouni -- 12345678901234567890123456789012345678901234567890123456789012345678901234567890 00000000011111111112222222222333333333344444444445555555555666666666677777777778 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
