On Mon, Jul 27, 2015 at 05:03:45PM +0100, Matt Caswell wrote: > I have just committed a fix for this issue: > https://github.com/openssl/openssl/commit/f0348c842e75a77f643e7d34cb88609145b2d320
> The above links are for the 1.0.2 commits. Equivalent commits have also > been pushed for 1.0.1. For master I have only added the test as the bug > did not exist in master (the version negotiation rewrite fixed it). Thanks! I can confirm that the 1.0.2 changes allow me to remove the EAP-FAST workaround (force TLSv1_method() to be used). I had not yet been able to test EAP-FAST with the master branch snapshot since there were number of API changes that broke the mechanism I used for key derivation. Now that I took a new look at this, most of the needed accessors have apparently be added. I think I still may need something to be able to figure out the keyblock size to be able to skip over it in EAP-FAST key derivation. Anyway, this was sufficiently close to be able to run some more tests. With couple more fixes and hardcoded keyblock size for testing purposes, it looks like EAP-FAST with authenticated provisioning worked. Unauthenticated provisioning case was failing due to "ssl3_client_hello:no ciphers available", but I'd assume that to be caused by some change in the enabled ciphers (this mode is trying to use ADH-AES128-SHA). While this is somewhat beyond the scope of this thread, I'd appreciate any guidance on how to figure out keyblock size from the current negotiation with the master branch OpenSSL snapshot. I used to use ssl->s3->tmp.new_mac_secret_size and EVP_CIPHER_{key,iv}_length(). The latter are still present, the former is not. Though, ssl->enc_read_ctx->cipher is not available for EVP_CIPHER_*(). Alternative version used EVP_MD_CTX_md(ssl->read_hash) followed by EVP_MD_size(). That is not available either. A more flexible version of SSL_export_keying_material() would be another (and likely cleaner) alternative for this. The addition need for couple of EAP methods is in being able to request server random to be used used before client random (i.e., the reverse order of the standard implementation) and to be able to skip key block length number of bytes from the beginning of the PRF output. For that key block skipping part, though, it would also hit an issue with memcmp against TLS_MD_KEY_EXPANSION_CONST, i.e., something completely different may be needed to be able to derive the EAP-FAST session_key_seed (see RFC 4851 Section 5.1 for details and RFC 5422 Section 3.3 shows yet another EAP-FAST case where session_key_seed and ServerChallenge + ClientChallenge needs to be derived similarly after the key_block). It would be nice to be able to get those out from OpenSSL without having to implement the PRF for this externally (and without exporting the master key for that matter). -- Jouni Malinen PGP id EFC895FA _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev