wpa supplicant v0.3.3 and WPA2-PSK issue

Jouni Malinen jkmaline
Thu Jan 13 20:16:43 PST 2005

On Wed, Jan 12, 2005 at 11:24:26AM -0500, Zimmermann, Christopher Brian (Chris) wrote:

> I am associating to a Cisco AP1231 with WPA2 Wi-Fi Alliance special test
> firmware (for WPA2/WMM certification).
> I tried using WPA2-PSK and it always fails.  I believe the problem to be
> caused by PMKSA.  To the best of my understanding, PMKSA and Pre-Shared
> Key are mutually exclusive; the point of PMKIDs being to avoid the
> potentially lengthy EAP negotiation (certificate exchange, etc.).

PMKSA/PMKID is not limited to WPA2 with EAP authentication even though
that is indeed the most common use case for them.

> Earlier in the function, eapol_sm_get_key() is called, and no key is
> obtained, PMKSA caching being aborted.  wpa_eapol_send() is called and
> the 1_of_4 function returns.  For the PSK condition, this seems to be
> invalid.  I patched the problem on my system by changing
> Line 1106:	if (abort_cached) {
> to be as follows:
> 	if ((abort_cached) && (wpa_s->key_mgmt ==
> This change prevents sending out the EAPOL-Start message, which the AP
> will not answer, and allows sends message 2/4.  WPA2-PSK completes
> successfully this way

I added couple of workarounds for similar issue with WPA2 with EAP
authentication in v0.3.3, but did not test WPA2-PSK at that point. This
change looks valid since there is no point in sending out EAPOL-Start
messages with WPA2-PSK, nor in aborting the authentication at that
point. I added this to the current development branch.

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list