Is PMF with development branch working?

Jouni Malinen j at w1.fi
Thu May 3 02:22:12 PDT 2018 

On Thu, May 03, 2018 at 08:37:08AM +0000, Karthik Krishnamoorthy wrote:
> I am working on the development branch for hostapd.
> 
> I started testing PMF mode , with ieee80211w=1.
> 
> From testing what I see is the client fails to associate.
> 
> On sniffer analysis , I found that Message 3 from AP is not proper.

Can you please share a sniffer capture file showing this, the
hostapd.conf file used in the test, and debug log from hostapd (ideally,
using some dummy passphrase/password and -ddK on the command like to
expose all key material)?

Which client did you use in the test? And what do you mean with "fails
to associate"? 4-way handshake is started only after the association has
been completed, so if you get to Message 3 of the 4-way handshake, the
client has already associated..

> Especially the WPA key data length is 88 bytes.
> 
> Whereas when I compare this with hostapd 2.1 version , the WPA key data length is 96 bytes.
> 
> There is 8 byte mismatch in the M3 message from AP between hostapd version 2.1 and latest development branch version.

The length of the Key Data field depends on the contents of the RSN
element and group cipher, so both of those lengths can be valid.

> Clients associate with hostapd 2.1 version, so I believe that is a correct length.

There is no specific "correct length". For example, a commonly used RSNE
of 22 octets (ending with the RSN Capabilities subfield), CCMP as the
group ciphers, and BIP as the group management cipher ends up having
22+24+30=76 octets of IEs/KDEs in the plaintext version. That gets
padded with 4 octets to 80 octets to make this a multiple of 8. And AES
Key Wrap adds 8 octets to the length, so the total encrypted length of
the Key Data field becomes 88 octets.

> Anyone seen this behaviour or is this fixed already? Do I need to sync to latest code?

I'm not aware of any issues in the PMF implementation between version
2.1 and the current snapshot.

-- 
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list