Hi Alan,
Cleaning up the email. The current draft says the exporter should be called
once as:
Key_Material = TLS-Exporter("EXPORTER_EAP_TLS_Key_Material",
Type-Code, 128)
and then split the 128 into MSK (64) and EMSK (64). As said, from initial
glance, it seems the exporter is called twice (once in eap_tls_get_emsk and
once in eap_tls_getKey). Both the calls are with exactly the same context,
context length, and labels. In getKey, the EMSK parts are cleared with
os_memset(eapKeyData + EAP_TLS_KEY_LEN, 0, EAP_EMSK_LEN);
while in get_emsk, they are read with
os_memcpy(emsk, eapKeyData + EAP_TLS_KEY_LEN,
EAP_EMSK_LEN);
Maybe we can live with this. But if exporter is called twice, we should use
different labels as suggested by Martin?
Regarding the Enc-Recv-Key and Enc-Send-Key, you obviously know more. I was
thrown off by Joe's comment "The mechanism for splitting the MSK into
Enc-RECV-Key and Enc-SNED-Key I believe is only used in specific legacy cases
(WEP, MPPE?)" and the fact that other EAP methods only export MSK. Other EAP
methods leave it to the AAA architecture for splitting up the MSK. Why should
EAP-TLS be different?
--Mohit
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
