On Tue, Jan 05, 2016 at 12:01:57PM -0800, Adam Jacobs wrote: > Complete log attached. Thanks! This is a bit long for the mailing list, so I'll drop the message from the moderation queue. Anyway, I do have the log and it was indeed quite helpful. This confirms that the cryptobinding works fine with TLS v1.2 in the initial authentication. Furthermore, I was able to find what the server did here with the keys exposed in the log. The difference here is in the server going through the Phase 2 method (EAP-MSCHAPv2) even though TLS session resumption is used. This is against the [MS-PEAP] specification from Microsoft.. That seems to be pretty clear on fast reconnection (= TLS session resumption) not using inner EAP authentication. Because of this, wpa_supplicant followed the specified derivation of CMK rather than what the server wanted to do here.. If I make wpa_supplicant use the style used in the no-fast-reconnect case during fast-reconnect where inner EAP method is used, I get matching Compound_MAC with the one shown in your log. Would you be able to run a test with wpa_supplicant modified with the following changes and provide a debug log from such a run? The main change is in adding the additional !data->phase2_eap_started condition for using the fast-reconnect style CMK derivation (which would be a one-liner, but I think it's useful to add the debug entry here to make it easier to see what happens here if some other servers implement PEAPv0 fast-reconnect differently). diff --git a/src/eap_peer/eap_peap.c b/src/eap_peer/eap_peap.c index 503d4b0..bf420cc 100644 --- a/src/eap_peer/eap_peap.c +++ b/src/eap_peer/eap_peap.c @@ -253,6 +253,7 @@ static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data) { u8 *tk; u8 isk[32], imck[60]; + int resumed; /* * Tunnel key (TK) is the first 60 octets of the key generated by @@ -263,8 +264,12 @@ static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data) return -1; wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60); - if (data->reauth && - tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) { + resumed = tls_connection_resumed(sm->ssl_ctx, data->ssl.conn); + wpa_printf(MSG_DEBUG, + "EAP-PEAP: CMK derivation - reauth=%d resumed=%d phase2_eap_started=%d phase2_success=%d", + data->reauth, resumed, data->phase2_eap_started, + data->phase2_success); + if (data->reauth && !data->phase2_eap_started && resumed) { /* Fast-connect: IPMK|CMK = TK */ os_memcpy(data->ipmk, tk, 40); wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK from TK", -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap