This converts tls_connection_handshake(),
tls_connection_server_handshake(), tls_connection_encrypt(), and
tls_connection_decrypt() to use struct wpa_buf to allow higher layer
code to be cleaned up with consistent struct wpabuf use.
This allows NSS to be used to derive EAP-TLS/PEAP/TTLS keying material.
NSS requires a patch from
https://bugzilla.mozilla.org/show_bug.cgi?id=507359
to provide the new API. In addition, that patch needs to be modified to
add the 16-bit context length value in SSL_ExportKeyingMaterial() only if
contextlen != 0 in order to match with the EAP-TLS/PEAP/TTLS use cases.
This issue seems to be coming from the unfortunate incompatibility in
draft-ietf-tls-extractor-07.txt (draft-ietf-tls-extractor-00.txt would
have used compatible PRF construction).
At this point, it is unclear how this will be resolved eventually, but
anyway, this shows a mechanism that can be used to implement EAP key
derivation with NSS with a small patch to NSS.
This brings in the first step in adding support for using NSS
(Mozilla Network Security Services) as the crypto and TLS library
with wpa_supplicant. This version is able to run through EAP-PEAP
and EAP-TTLS authentication, but does not yet implement any
certificate/private key configuration. In addition, this does not
implement proper key fetching functions either, so the end result
is not really of much use in real world yet.