Re-keying - Where in the code

SR Dasgupta srdasgupta
Sat Oct 4 06:50:16 PDT 2003


Am sorry. I pull back this question. I got it.

-----Original Message-----
From:	SR Dasgupta [SMTP:srdasgupta at contechsoftware.com]
Sent:	Saturday, October 04, 2003 7:17 PM
To:	'hostap at shmoo.com'
Subject:	Re-keying - Where in the code

Jouni,

I guess you are the best person to tell me this.

As per the IEEE 802.1x, the following is what txkey() of Authenticator Key Transmit State Machine is supposed to do:
"txKey(x). An EAPOL frame of type EAP-Packet, containing an EAPOL Key packet, is transmitted
to the Supplicant. The Identifier field of the EAP packet carries the value of x, the argument to the
procedure."

Looking at the txkey() fn of the hostapd, I could understand that the key is generated and by calling the hostapd_ioctl()
the key is set in the driver. I also checked it using iwlsit tool. What I didnot get in the code is where EAPOL Key packet 
is transmitted to the supplicant. I am sure you must have written it somewhere since if EAPOL Key packet doesnot get 
transmitted, the supplicant would never come to know the correct WEP key to use.

Regards,
Shubharanjan
	

-----Original Message-----
From:	SR Dasgupta [SMTP:srdasgupta at contechsoftware.com]
Sent:	Saturday, October 04, 2003 5:56 PM
To:	'Jouni Malinen'
Cc:	'hostap at shmoo.com'
Subject:	Re: Hostapd Test Results and Problem Areas - used TLS

Hi Jouni,

Am back :) but not with good news :(.

So, let's see what happened at my end. I have replicated the syslog of my target board at the end of this mail.
Please refer it. I tried both the options (see below) you specified (with and without unicast) but the syslog doesnot changes.
I tried to get into debuggin' the stuff by inserting printf() in the authpae state machine and printk() later in
hostap_rx_frame_decrypt() function. What I observed in hostapd (IEEE 802.1x) is that after the 802.11 association
and authentication takes place, the 802.1x state machine keeps keeps looping in DISCONNECTED and CONNECTED
state which is ofcourse right. Here is the output on the terminal:

************************************************************
#
eth2: STA 00:0a:79:15:09:45 IEEE 802.11: authentication OK (open system)
eth2: STA 00:0a:79:15:09:45 IEEE 802.11: authenticated
eth2: STA 00:0a:79:15:09:45 IEEE 802.11: association OK (aid 1)
eth2: STA 00:0a:79:15:09:45 IEEE 802.11: associated (aid 1)
eth2: STA 00:0a:79:15:09:45 IEEE 802.11: authentication OK (open system)
eth2: STA 00:0a:79:15:09:45 IEEE 802.11: authenticated
eth2: STA 00:0a:79:15:09:45 IEEE 802.11: association OK (aid 1)
AUTH_PAE_DISCONNECTED TO, CONNECTING
AUTH_PAE_CONNECTING TO, CONNECTING
AUTH_PAE_CONNECTING TO, CONNECTING
AUTH_PAE_CONNECTING to, DISCONNECTED
eth2: STA 00:0a:79:15:09:45 IEEE 802.1X: unauthorizing port
AUTH_PAE_DISCONNECTED to, CONNECTING
************************************************************

After observing the printk(), it is for sure that in hostap_rx_frame_decrypt(), the WEP decryptions fails at the
following location (I inserted the '2.' of ' 2. WEP decryption ' here) :
************************************************************
	/* decrypt WEP part of the frame: IV (4 bytes), encrypted
	 * payload (including SNAP header), ICV (4 bytes) */
	atomic_dec(&crypt->refcnt);
	if (olen < 0) {
		printk(KERN_DEBUG "%s: 2. WEP decryption failed (SA=" MACSTR
		       ")\n", local->dev->name, MAC2STR(rxdesc->addr2));
***************************************************************

It is highly possible that I have configured the hostapd correctly but have incorrectly configured the 
WinXP supplicant. Incase anyone is using TLS with re-keying using hostapd & WinXP supplicant, 
please let me know exactly how the XP client was configured.

Jouni, am still using hostapd-0.0.3 and not 0.0.4. Though I would personally love to but for non-technical reasons, 
I cannot re-do the exercise of porting hostapd again on target board for next 3 months. I donot know how to get the
supplicant log on WinXP. If can tell me the steps, I will get that. My platform has MIPS little endian but I donot think
that matters since WEP, MD5 and TLS work pretty well. Incase you need more information, let me know.

Eagerly waiting for your reply.

Regards,
Shubharanjan

************************************************************
Syslog
************************************************************
# cat /var/log/messages
Jan 22 19:49:21 (none) daemon.debug klogd: eth2:2. WEP decryption failed (SA=00:
0a:79:15:09:45)
Jan 22 19:49:51 (none) daemon.debug klogd: eth2:2. WEP decryption failed (SA=00:
0a:79:15:09:45)
Jan 22 19:50:05 (none) daemon.debug hostapd: eth2: STA 00:0a:79:15:09:45 IEEE 80
2.1X: unauthorizing port
Jan 22 19:50:21 (none) daemon.debug klogd: eth2:2. WEP decryption failed (SA=00:
0a:79:15:09:45)
Jan 22 19:50:51 (none) daemon.debug klogd: eth2:2. WEP decryption failed (SA=00:
0a:79:15:09:45)
Jan 22 19:51:06 (none) daemon.debug hostapd: eth2: STA 00:0a:79:15:09:45 IEEE 80
2.1X: unauthorizing port
Jan 22 19:51:21 (none) daemon.debug klogd: eth2:2. WEP decryption failed (SA=00:
0a:79:15:09:45)
Jan 22 19:51:51 (none) daemon.debug klogd: eth2:2. WEP decryption failed (SA=00:
0a:79:15:09:45)
Jan 22 19:52:07 (none) daemon.debug hostapd: eth2: STA 00:0a:79:15:09:45 IEEE 80

************************************************************






-----Original Message-----
From:	Jouni Malinen [SMTP:jkmaline at cc.hut.fi]
Sent:	Saturday, September 20, 2003 8:57 PM
To:	hostap at shmoo.com
Subject:	Re: Hostapd Test Results and Problem Areas

On Thu, Sep 11, 2003 at 04:00:57PM -0000, SR Dasgupta wrote:

> Successful Testings
> ===============
> 1. EAP-MD5 	- This works fine.
> 2. EAP-TLS 	- This works fine as well.

I assume this means that you were able to authenticate the station with
both EAP-MD5 and EAP-TLS when all WEP settings were disabled.

YES. you are right.

> Case 6: (WEP & TLS - key rotation)
> Repeat Case 4 but for the following:
> 1. Enable key rotation ("wep_rekey_period=300") in hostapd.conf. Keep 
> 802.1x option enabled (ieee8021x=1). Configure RADIUS setting correctly, 
> this time for Oddessy server.

Did you enable both broadcast and unicast keys in hostapd.conf?

Recommended configuration for EAP-TLS is:
[Option 1]
ieee8021x=1
wep_key_len_broadcast=13
wep_key_len_unicast_5
wep_rekey_period=300
eapol_key_index_workaround=0
# and RADIUS auth. server configuration

if only broadcast keys are tested, following changes are needed

[Option 2]
wep_key_len_unicast=0
eapol_key_index_workaround=1

If this does not work, please send hostapd debug log (output of
hostapd -ddd hostapd.conf) from a failed case. If you can get debug log
from the supplicant side, that would also be useful finding out why this
did not work.

Both options didnot work. See Syslog above.

-- 
Jouni Malinen                                            PGP id EFC895FA
_______________________________________________
HostAP mailing list
HostAP at shmoo.com
http://lists.shmoo.com/mailman/listinfo/hostap





More information about the Hostap mailing list