MPPE key not matching when i use mbedtls

Question

I'm running Mbed TLS as a core security library, in embedded platform. my application is used to connect to enterprise network using PEAPv0 with mschapv2 as phase2 authentication.

Following are the setup details server setup on Ubuntu

      Eap Server : Free radius with version 3.0.15
      openssl :1.0.2g
      Ubuntu version : 16.04LTS

Client side setup

      platform : Micro controller based platform
      OS : FreeRTOS

I'm using TLSv1.2 with cipher-suite MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 / MBEDTLS_TLS_ECDHE_WITH_AES_256_GCM_SHA384 and im taking help of inbuilt tls-prf function for the mentioned cipher suites and it uses tls_prf_sha384 function, what i found is the MPPE key generated at client side and server side is not matching.

But when i use MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA256 / MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA which intern uses tls_prf_sha256, what i found is MPPE key generated is matching at both end

However as per TLS v1.2 RFC, provision has been made to dynamically select the cipher-suite based on the client-server negotiation. but in case of less than TLSv1.2 it uses tls1_prf function.

When i looking into openssl code, freeradius and wpa_supplicant code it uses the function SSL_export_keying_material . Then alos im Not able to find the implementation difference wrt openssl "SSL_export_keying_material" function and the Mbedtls "tls_prf".

May i know what else im missing.

Answer 1

For visibility, copying my answer in Mbed TLS support forum:

To rule out the basics, please verify you have MBEDTLS_SHA512_C defined in your configuration file. The key material is generated in mbedtls_ssl_derive_keys(). It should derive same key that is derived using SSL_export_keying_material(). If possible, you should check that the input parameters are same for both client and server, for example, you don't have a memory issue on your platform, the causes corruption in you buffer. Regards, Mbed TLs Team member Ron