Intel wifi5300 sends an incorrect Registrar Nonce

Jouni Malinen j at
Fri May 27 11:33:38 EDT 2011

On Thu, May 26, 2011 at 05:46:49PM +0900, Takashi Kawamoto wrote:

> I'm running WPS with hostapd-0.7.3 and an External Registrar on the 
> following environment and come across a failure of Registration Protocol.
> [environment]
> AP:
>   Kernel      :
>   Distribution: Fedora 7
> Registrar     : Windows Vista
> When I use Intel wifi5300 (Driver Ver:13.5.0 ) as an Enrollee, it 
> responds a WSC-ACK including an incorrect Registrar Nonce after 
> hostapd sends M2D to wifi5300. The Registrar Nonce is the same as used 
> in the previous Registration Protocol session.

There are number of bugs in existing WPS implementations.. Many
Enrollees do not really work correctly when multiple Registrars are
available and the first one is not ready for the specific Enrollee. This
case that you describe sounds like that type of issue. Are you using
Intel implementation of WPS Enrollee on the station (i.e., PROSet)?
Which version of the application?

> This phenomenon seems to apparently ascribe to the Intel's chip 
> implementation. However, if hostapd waits for an External Registrar 
> sending a PutWLANResponse before starting sending M2/M2D, hostapd will 
> get a valid Device Password and send M2, not M2D. How do you think?

That could be one workaround for the issue in some Enrollees, but I
would prefer not to change the order of M2/M2D messages since this would
only work for one case (a single ER and the internal Registrar).
Multiple ER cases would likely hit the same issue. In addition, changing
the order would add extra latency to the protocol run.

I don't remember this failing with the latest PROSet tests I ran,
though.. If you can easily reproduce this with the latest PROSet running
on  the Enrollee, it would be interesting to see a verbose debug log
from hostapd from a failing test.

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list