WPA PSK-key length problem?

Holger Schurig hs4233
Mon Mar 7 01:42:24 PST 2005


I'm now trying WPA-PSK. Unfortunately, it didn't work, some packets have 
the wrong length.

The device that connects to the Access-Point is running Linux 2.4 on an 
Intel XScale PXA255, an ARM like prozessor used in embedded devices and 
PDAs. In history, I had to apply alignment fixes to some low-level stuff, 
e.g. libusb. Maybe I run into the same problem zone here.

A pointer on how I can dissable the packet and verify it's contents would 
be helpful.



But let's first log at the error message in the Access-Point. When I 
enable some debug messages on my Cisco 1200, I see this:

-----------------------------------------
$ telnet 172.16.1.121
Username: Cisco
Password:
ap>enable
Password:
ap#terminal monitor
ap#debug dot11 aaa dot1x all

[This is enought debug level to see the error message]

Key Change debugging is on*Mar  1 00:18:47.504: dot11_aaa_dot1x_start: in 
the dot11_aaa_dot1x_start
*Mar  1 00:18:47.504: dot11_dot1x_run_rfsm: Executing 
Action(INIT,EAP_START) for 0010.c630.9bfe
*Mar  1 00:18:47.504: dot11_dot1x_start_ssn_psk: Starting 4-way handshake 
for PSK supplicant 0010.c630.9bfe
*Mar  1 00:18:47.504: dot11_dot1x_build_ptk_handshake: building PTK msg 1 
for 0010.c630.9bfe
*Mar  1 00:18:47.505: dot11_dot1x_client_send_eapol: sending eapol to 
client 0010.c630.9bfe
*Mar  1 00:18:47.505: dot11_dot1x_send_ptk_msg1: [1] Sent PTK msg 1 to 
0010.c630.9bfe
*Mar  1 00:18:47.562: dot11_dot1x_parse_client_pak: Received EAPOL packet 
from 0010.c630.9bfe, type 0
*Mar  1 00:18:47.562: EAPOL pak dump rx
*Mar  1 00:18:47.562: EAPOL Version: 0x1  type: 0x3  length: 0x0077
*Mar  1 00:18:47.562: EAP code: 0xFE id: 0x1  length: 0x0900 type: 0x20
00E14540:                   01030077 FE010900          ...w~...
00E14550: 20000000 00000000 01CF1D81 62ABC030   ........O..b+ at 0
00E14560: 7A7EC031 43C90D49 7F799712 8C0536A7  z~@1CI.I.y....6'
00E14570: CD86F0B3 EF7B120D EC000000 00000000  M.p3o{..l.......
00E14580: 00000000 00000000 00000000 00000000  ................
00E14590: 00000000 00000000 00E42470 E7439225  .........d$pgC.%
00E145A0: 5A82929C 5C2F746D 7C0018DD 160050F2  Z...\/tm|..]..Pr
00E145B0: 01010000 50F20201 000050F2 02010000  ....Pr....Pr....
00E145C0: 50F202                               Pr.

  This packet looks similar to what get's send in "Sending EAPOL-Key 2/4"
  below, everything after the EAPOL indicator 0x888e.

*Mar  1 00:18:47.564: dot11_dot1x_run_rfsm: Executing 
Action(PTK_MSG2_WAIT,RECV_EAPOL_KEY_RSP) for 0010.c630.9bfe
*Mar  1 00:18:47.564: dot11_dot1x_verify_ptk_handshake: verifying PTK msg 
2 from 0010.c630.9bfe
*Mar  1 00:18:47.564: dot11_dot1x_verify_ptk_handshake: Invalid EAPOL-Key 
Data Len: exp=26, act=24

  Unfortunately, it's size is wrong :-(    Seems like some message got
  truncated? I don't know for sure unless I decompile this packet. Here
  I'd need help, e.g. pointer to RFCs describing the structure.

*Mar  1 00:18:48.505: dot11_dot1x_run_rfsm: Executing 
Action(PTK_MSG2_WAIT,TIMEOUT) for 0010.c630.9bfe
*Mar  1 00:18:48.505: dot11_dot1x_build_ptk_handshake: building PTK msg 1 
for 0010.c630.9bfe
*Mar  1 00:18:48.505: dot11_dot1x_client_send_eapol: sending eapol to 
client 0010.c630.9bfe
*Mar  1 00:18:48.505: dot11_dot1x_send_ptk_msg1: [2] Sent PTK msg 1 to 
0010.c630.9bfe
-----------------------------------------





The other side of the communication looked like this:

-----------------------------------------
Initializing interface 'eth1' conf '/etc/wpa.conf' driver 'default'
Configuration file '/etc/wpa.conf' -> '/etc/wpa.conf'
Reading configuration file '/etc/wpa.conf'
ctrl_interface='/var/run/wpa_supplicant'
ctrl_interface_group=0
eapol_version=1
ap_scan=1
fast_reauth=1
Line: 25 - start of a new network block
ssid - hexdump_ascii(len=7):
     4d 4e 46 55 4e 4b 32                              MNFUNK2
proto: 0x1
key_mgmt: 0x2
pairwise: 0x8
group: 0x8
PSK (ASCII passphrase) - hexdump_ascii(len=8):
     54 65 73 74 6b 65 79 31                           Testkey1
priority=2 (0x2)
PSK (from passphrase) - hexdump(len=32): ad 6e 58 39 36 e3 71 12 f8 d8 c1 
d5 62 24 c4 d8 99 fa 4d fc 74 e0 a7 c4 be c3 65 8b 9d b3 c4 9b
Priority group 2
   id=0 ssid='MNFUNK2'
Initializing interface (2) 'eth1'
EAPOL: SUPP_PAE entering state DISCONNECTED
EAPOL: KEY_RX entering state NO_KEY_RECEIVE
EAPOL: SUPP_BE entering state INITIALIZE
EAP: EAP entering state DISABLED
EAPOL: External notification - portEnabled=0
EAPOL: External notification - portValid=0
wpa_driver_hermes_init: eth1
found Hermes 2 STA
Own MAC address: 00:10:c6:30:9b:fe
wpa_driver_hermes_set_wpa: enabled=1
wpa_driver_hermes_set_key: alg=none key_idx=0 set_tx=0 seq_len=0 key_len=0
wpa_driver_hermes_set_key: alg=none key_idx=1 set_tx=0 seq_len=0 key_len=0
wpa_driver_hermes_set_key: alg=none key_idx=2 set_tx=0 seq_len=0 key_len=0
wpa_driver_hermes_set_key: alg=none key_idx=3 set_tx=0 seq_len=0 key_len=0
wpa_driver_hermes_set_countermeasures: enabled=0
wpa_driver_hermes_set_drop_unencrypted: enabled=1
Setting scan request: 0 sec 100000 usec
Wireless event: cmd=0x8b06 len=8
unhandled
State: DISCONNECTED -> SCANNING
Starting AP scan (broadcast SSID)
Wireless event: cmd=0x8b19 len=12
Received 4096 bytes of scan results (2 BSSes)
Scan results: 2
Selecting BSS from priority group 2
0: 00:12:7f:8b:62:30 ssid='MNFUNK2' wpa_ie_len=24 rsn_ie_len=0
   selected
Trying to associate with 00:12:7f:8b:62:30 (SSID='MNFUNK2' freq=0 MHz)
Cancelling scan request
Automatic auth_alg selection: 0x1
WPA: using IEEE 802.11i/D3.0
WPA: Selected cipher suites: group 8 pairwise 8 key_mgmt 2
WPA: using GTK TKIP
WPA: using PTK TKIP
WPA: using KEY_MGMT WPA-PSK
WPA: Own WPA IE - hexdump(len=24): dd 16 00 50 f2 01 01 00 00 50 f2 02 01 
00 00 50 f2 02 01 00 00 50 f2 02
No keys have been configured - skip key clearing
wpa_driver_hermes_set_drop_unencrypted: enabled=1
State: SCANNING -> ASSOCIATING
wpa_driver_hermes_associate
wpa_driver_hermes_set_wpa_ie
Setting authentication timeout: 5 sec 0 usec
EAPOL: External notification - EAP success=0
EAPOL: External notification - EAP fail=0
EAPOL: External notification - portControl=Auto
Wireless event: cmd=0x8b04 len=12
unhandled
Wireless event: cmd=0x8b1a len=19
unhandled
RX EAPOL from 00:12:7f:8b:62:30
RX EAPOL - hexdump(len=99): 01 03 00 5f fe 00 89 00 20 00 00 00 00 00 00 
00 01 eb 5f 39 16 f1 80 67 a5 6b 2d b63e db a3 b2 a6 70 ff 66 8b fa 9a db 
6f 9c 96 0b 31 8b 75 5b 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00
Setting authentication timeout: 10 sec 0 usec
IEEE 802.1X RX: version=1 type=3 length=95
  EAPOL-Key type=254
WPA: RX EAPOL-Key - hexdump(len=99): 01 03 00 5f fe 00 89 00 20 00 00 00 
00 00 00 00 01 eb 5f 39 16 f1 80 67 a56b 2d b6 3e db a3 b2 a6 70 ff 66 8b 
fa 9a db 6f 9c 96 0b 31 8b 75 5b 4e 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00
State: ASSOCIATING -> 4WAY_HANDSHAKE
WPA: RX message 1 of 4-Way Handshake from 00:12:7f:8b:62:30 (ver=1)
WPA: WPA IE for msg 2/4 - hexdump(len=24): dd 16 00 50 f2 01 01 00 00 50 
f2 02 01 00 00 50 f2 02 01 00 00 50 f202
WPA: Renewed SNonce - hexdump(len=32): cf 1d 81 62 ab c0 30 7a 7e c0 31 43 
c9 0d 49 7f 79 97 12 8c 05 36 a7 cd 86 f0 b3 ef 7b 12 0d ec
WPA: PMK - hexdump(len=32): ad 6e 58 39 36 e3 71 12 f8 d8 c1 d5 62 24 c4 
d8 99 fa 4d fc 74 e0 a7 c4 be c3 65 8b9d b3 c4 9b
WPA: PTK - hexdump(len=64): bf 80 40 f7 07 74 ce 18 77 c3 d1 ee 52 dd ff 
96 e0 81 59 c6 54 fa 7a 14 23 4c c1 414c e8 13 ed 2d a9 3b 12 87 b0 fb 8e 
12 bd fa ea 32 ad f2 59 b9 33 82 f2 b9 77 37 46 44 76 17 37 ed ce 4b 21
WPA: Sending EAPOL-Key 2/4
WPA: TX EAPOL-Key - hexdump(len=137): 00 12 7f 8b 62 30 00 10 c6 30 9b fe 
88 8e 01 03 00 77 fe 01 09 00 20 00 00 00 00 00 00 00 01 cf 1d 81 62 ab 
c0 30 7a 7e c0 31 43 c9 0d 49 7f 79 97 12 8c 05 36 a7 cd 86 f0 b3 ef 7b 
12 0dec 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 e4 24 70 e7 43 92 25 5a 82 92 9c 5c 2f 74 
6d 7c 00 18 dd 16 00 50 f2 01 01 00 00 50 f2 02 01 00 00 50 f2 02 01 00 
00 50 f2 02
RX EAPOL from 00:12:7f:8b:62:30
RX EAPOL - hexdump(len=99): 01 03 00 5f fe 00 89 00 20 00 00 00 00 00 00 
00 02 eb 5f 39 16 f1 80 67 a5 6b 2d b63e db a3 b2 a6 70 ff 66 8b fa 9a db 
6f 9c 96 0b 31 8b 75 5b 4f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00
IEEE 802.1X RX: version=1 type=3 length=95
  EAPOL-Key type=254
WPA: RX EAPOL-Key - hexdump(len=99): 01 03 00 5f fe 00 89 00 20 00 00 00 
00 00 00 00 02 eb 5f 39 16 f1 80 67 a56b 2d b6 3e db a3 b2 a6 70 ff 66 8b 
fa 9a db 6f 9c 96 0b 31 8b 75 5b 4f 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 00 00 00 00
State: 4WAY_HANDSHAKE -> 4WAY_HANDSHAKE
WPA: RX message 1 of 4-Way Handshake from 00:12:7f:8b:62:30 (ver=1)
WPA: WPA IE for msg 2/4 - hexdump(len=24): dd 16 00 50 f2 01 01 00 00 50 
f2 02 01 00 00 50 f2 02 01 00 00 50 f202
WPA: PMK - hexdump(len=32): ad 6e 58 39 36 e3 71 12 f8 d8 c1 d5 62 24 c4 
d8 99 fa 4d fc 74 e0 a7 c4 be c3 65 8b9d b3 c4 9b
WPA: PTK - hexdump(len=64): 5d 8b 7f ef 75 1e a1 4e ad 93 3c 8c 5e 15 0b 
5c 60 fa 47 64 cf 72 ff 58 0d 11 98 9364 5f b6 eb bf 16 77 a6 97 69 80 a2 
84 a7 4d 2c 57 70 e7 6a 52 90 1a dd 39 d0 4b 31 a7 8f 45 eb 76 21 bd fb
WPA: Sending EAPOL-Key 2/4
-----------------------------------------



Just for reference, my wpa.conf is

-----------------------------------------
network={
        ssid="MNFUNK2"
        proto=WPA
        key_mgmt=WPA-PSK
        pairwise=TKIP
        group=TKIP
        psk="Testkey1"
        priority=2
}
-----------------------------------------

and the relevant config of the Access-Point looks like

-----------------------------------------
[...]
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption mode ciphers tkip
 !
 ssid MNFUNK2
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 7 06320A3258450C0054
 !
[...]
-----------------------------------------




More information about the Hostap mailing list