wpa_supplicant WPA crashes Sitecom WL-114 router

Jouni Malinen jkmaline at cc.hut.fi
Sat Mar 26 21:07:36 EST 2005


On Fri, Mar 25, 2005 at 01:59:14PM +0100, Lorenzo Colitti wrote:

> I dug a little bit deeper and I think that the key to understanding the 
> problem is that the AP skips a number in the replay counters between 4/4 
> 4-way and 1/2 group. This suggests it's hardcoding replies and receiving 
> packets from the supplicant that it doesn't expect. wpa_supplicant does 
> complain about the replay counters:
> 
> >Custom wireless event: 'MLME-REPLAYFAILURE.indication(keyid=0 unicast 
> >addr=00:11:0a:81:6b:64)' 

These are two completely different replay counters. This messages is
actually from the driver and it indicates that an encrypted packet was
dropped because its sequence number did not increase.

AP is probably not skipping any number; this is more likely caused by
the client missing the first encrypted group key message and then
receiving the second one.

> I found that one thing the AP didn't like was that wpa_supplicant 
> doesn't send an EAPOL start message. I hacked wpa_supplicant to include 
> that and the packets that the AP sends are much more similar to the ones 
> it sends to Windows.

What do you mean by "AP didn't like"? Did it do something incorrect?
EAPOL-Start is not used in WPA-PSK even though the Microsoft supplicant
does indeed send it.

> But I still can't get it to work. I used Ethereal to sniff the 
> unencrypted packets both on Windows and on Linux, and the only 
> significant differences I see, apart from the fact that the Windows 
> driver sends WPA keys of length 26 instead of 24, are the replay 
> counters. (See attached text files for decoded packets and diff.txt for 
> differences.)

Those are not "keys", but WPA IEs which is of variable length.

> Any ideas? Should I try to get a second card in monitor mode and see 
> what happens?

That would be more or less the only remaining thing that could be done
easily without having to get the AP vendor involved in debugging what is
going wrong..

-- 
Jouni Malinen                                            PGP id EFC895FA



More information about the HostAP mailing list